Semgrep
Last updated
Was this helpful?
Last updated
Was this helpful?
is static application security testing (SAST) tool that includes software composition analysis (SCA). It detects security vulnerabilities in your code and analyzes your open-source dependencies for vulnerabilities. You can use it to scan local repositories or integrate it into your CI/CD pipeline.
Integrating Semgrep with Cortex allows you to:
Display the latest scans and vulnerability data
Create that track progress and drive alignment on projects involving Semgrep security data, allowing you to address and remediate vulnerabilities more efficiently
Before getting started:
Create an with and permissions.
In Cortex, navigate to the :
In Cortex, click your avatar in the lower left corner, then click Settings.
Under "Integrations", click Semgrep.
Click Add configuration.
Configure the Semgrep integration form:
Alias: Enter an alias for this integration.
API key: Enter the value of the API token you created in Semgrep.
Organization ID: Enter your organization ID for Semgrep.
Organization slug: Enter your organization slug for Semgrep.
Click Save.
After saving your configuration, you are redirected to the Semgrep integration settings page in Cortex. In the upper right corner of the page, click Test configuration to ensure Semgrep was configured properly.
If your Semgrep project names don’t cleanly match the Cortex entity name or tag, you can override this in the Cortex entity descriptor.
in the Code & security block in the entity's overview:
in the entity's sidebar in Code & security.
This page contains scan results and vulnerability metrics from Semgrep. Click Filter at the top of the vulnerability list to filter by severity.
With the Semgrep integration, you can create Scorecard rules and write CQL queries based on Semgrep projects.
The following options are available to get assistance from the Cortex Customer Engineering team:
Chat: Available in the Resource Center
Slack: Users with a connected Slack channel will have a workflow added to their account. From here, you can either @CortexTechnicalSupport or add a :ticket:
reaction to a question in Slack, and the team will respond directly.
Don’t have a Slack channel? Talk with your Customer Success Manager.
By default, Cortex will use the (e.g. my-service
) as the "best guess" for Semgrep projects. For example, if your entity name is "My Service" or your tag is my-service
, then the corresponding project name in Semgrep should also be "My Service" or my-service
.
Under the x-cortex-semgrep
block in an , you can define the projects you want based on the Semgrep project ID. For example:
Semgrap vulnerabilities and scans appear on :
See more examples in the in Cortex.
Email: , or open a support ticket in the in app Resource Center