LogoLogo
Login to CortexBook a DemoCortex Academycortex.ioCortex Status
  • Cortex Docs
  • Cortex Quick Start
  • Ingesting data into Cortex
    • Managing Entities
      • Adding entities
        • Add services
        • Add domains
        • Add teams
        • Add custom entity types
        • Defining dependencies
      • Entity details page
      • Defining ownership
      • Defining relationship types
      • Grouping entities
      • Adding external documentation
      • Adding Deploy data
      • Adding custom data
      • Viewing discovered entities
      • Archiving entities
      • Relationship graph
      • Using On-call Assistant for incidents
      • Managing Terraform infra in Cortex
    • Managing Catalogs
    • Integrations
      • Internally hosted integrations
      • ArgoCD
      • AWS
      • Azure DevOps
      • Azure Resources
      • BambooHR
      • Bitbucket
      • BugSnag
      • Buildkite
      • Checkmarx
      • CircleCI
      • ClickUp
      • Codecov
      • Coralogix
      • Custom webhook integrations
      • Datadog
      • Dynatrace
      • Entra ID (Azure AD)
      • FireHydrant
      • GitHub
      • GitLab
      • Google
      • Grafana
      • incident.io
      • Instana
      • Jenkins
      • Jira
      • Kubernetes
      • LaunchDarkly
      • Lightstep
      • Mend
      • Microsoft Teams
      • New Relic
      • Okta
      • Opsgenie
      • PagerDuty
      • Prometheus
      • Rollbar
      • Rootly
      • Sentry
      • Semgrep
      • ServiceNow
      • Slack
      • Snyk
      • SonarQube
      • Splunk Observability Cloud (SignalFx)
      • Splunk On-Call (VictorOps)
      • Sumo Logic
      • Veracode
      • Wiz
      • Workday
      • xMatters
  • Scorecards
    • Initiatives and Action items
      • Creating issues based on Initiatives
    • Scorecard rule exemptions
    • Scorecard rule filters
    • Scorecard examples
    • Scorecards as code
  • Reports
    • Executive report
    • All Scorecards report
    • Bird's eye report
    • Progress report
    • Report card
  • Eng Intelligence
    • Custom Metrics
    • Jira Metrics
    • Metrics Explorer (Beta)
    • Velocity Dashboard (Beta)
  • Cortex Query Language (CQL)
    • Running and saving CQL queries
    • Using CQL reports
    • Using JQ in Cortex
  • Workflows
    • Creating a Workflow
      • Workflows as code
    • Blocks
    • Running a Workflow
    • Registering a Scaffolder template
      • Scaffolder advanced usage
    • Using a Workflow to sync in ArgoCD
    • Kicking off a Jenkins pipeline in a Workflow
    • Calling internal service endpoints in a Workflow
  • Plugins
    • Creating a plugin
      • Creating a plugin proxy
    • Migrating Backstage plugins to Cortex
  • Engineering homepage
  • Workspace Settings
    • Using GitOps for Cortex
      • GitOps logs
    • Managing users
      • Roles and permissions
        • Custom roles
        • Team ownership entity editing
      • Configuring SSO
        • Microsoft Entra ID
        • Google
        • Other OIDC providers
        • Okta
          • Okta SCIM
      • Configuring identity mappings
      • Onboarding management
    • API keys, secrets, and tokens
      • Secrets
      • Personal tokens
    • Audit logs
    • Entity settings
      • Data verification
      • Auto archiving entities
    • IP allowlist
    • Notifications
      • Notification logs
    • Customizing your workspace
    • Using search in Cortex
  • Cortex API
    • REST API operations
      • API Keys
      • Audit Logs
      • Catalog Entities
      • Custom Data
        • Custom Data (Advanced)
      • Custom Events
      • Custom Metrics
      • Dependencies
      • Deploys
      • Discovery Audit
      • Docs
      • Eng Intel: User Labels
      • Entity Relationship Types (Beta)
      • Entity Relationships (Beta)
      • Entity Types
      • GitOps Logs
      • Groups
      • Initiatives
      • Integrations APIs
        • Azure Active Directory (Entra ID) API
        • Azure Resources API
        • AWS API
        • Azure DevOps API
        • CircleCI API
        • Coralogix API
        • Datadog API
        • GitHub API
        • GitLab API
        • incident.io API
        • LaunchDarkly API
        • New Relic API
        • PagerDuty API
        • Prometheus API
        • SonarQube API
      • IP Allowlist
      • Notification Logs
      • On call
      • Packages
      • Plugins
      • Queries
      • SCIM
      • Scorecards
      • Secrets
      • Team Hierarchies
      • Teams
      • Workflows
Powered by GitBook
On this page
  • How to configure Semgrep with Cortex
  • Prerequisites
  • Configure the integration in Cortex
  • How to connect Cortex entities to Semgrep
  • Match entity names to Semgrep projects
  • Editing the entity descriptor
  • Using the Semgrep integration
  • Viewing Semgrep information in Cortex
  • Scorecards and CQL
  • Still need help?​

Was this helpful?

Export as PDF
  1. Ingesting data into Cortex
  2. Integrations

Semgrep

Semgrep is static application security testing (SAST) tool that includes software composition analysis (SCA). It detects security vulnerabilities in your code and analyzes your open-source dependencies for vulnerabilities. You can use it to scan local repositories or integrate it into your CI/CD pipeline.

Integrating Semgrep with Cortex allows you to:

  • Display the latest scans and vulnerability data on entity details pages in Cortex

  • Create Scorecards that track progress and drive alignment on projects involving Semgrep security data, allowing you to address and remediate vulnerabilities more efficiently

How to configure Semgrep with Cortex

Prerequisites

Before getting started:

  • Create an API token in Semgrep with GET scan details and GET List code or supply chain findings permissions.

Configure the integration in Cortex

  1. In Cortex, navigate to the Semgrep settings page:

    1. In Cortex, click your avatar in the lower left corner, then click Settings.

    2. Under "Integrations", click Semgrep.

  2. Click Add configuration.

  3. Configure the Semgrep integration form:

    • Alias: Enter an alias for this integration.

    • API key: Enter the value of the API token you created in Semgrep.

    • Organization ID: Enter your organization ID for Semgrep.

    • Organization slug: Enter your organization slug for Semgrep.

  4. Click Save.

After saving your configuration, you are redirected to the Semgrep integration settings page in Cortex. In the upper right corner of the page, click Test configuration to ensure Semgrep was configured properly.

How to connect Cortex entities to Semgrep

Match entity names to Semgrep projects

By default, Cortex will use the entity tag (e.g. my-service) as the "best guess" for Semgrep projects. For example, if your entity name is "My Service" or your tag is my-service, then the corresponding project name in Semgrep should also be "My Service" or my-service.

If your Semgrep project names don’t cleanly match the Cortex entity name or tag, you can override this in the Cortex entity descriptor.

Editing the entity descriptor

Under the x-cortex-semgrep block in an entity's YAML, you can define the projects you want based on the Semgrep project ID. For example:

x-cortex-semgrep:
  projects:
  - alias: my_org 
    projectId: 1234567
  - alias: other_org
    projectId: 7654321

Using the Semgrep integration

Viewing Semgrep information in Cortex

Semgrap vulnerabilities and scans appear on entity details pages:

  • in the Code & security block in the entity's overview:

  • in the entity's sidebar in Code & security.

    • This page contains scan results and vulnerability metrics from Semgrep. Click Filter at the top of the vulnerability list to filter by severity.

Scorecards and CQL

With the Semgrep integration, you can create Scorecard rules and write CQL queries based on Semgrep projects.

See more examples in the CQL Explorer in Cortex.

Check if Semgrep project is set

Check if entity has a registered Semgrep project in its entity descriptor.

Definition: semgrep (==/!=) null: Boolean

Example

An initial level in a security Scorecard might include a rule to make sure entities are associated with a Semgrep project:

semgrep != null

Setting a semgrep != null rule can also serve as a secondary check to confirm an entity is synced properly with Semgrep and is reporting frequently.

List vulnerabilities

List of Semgrep vulnerabilities by severity or type.

Definition: semgrep.vulnerabilities()

Example

You can write a rule to verify an entity has fewer than 10 vulnerabilities:

semgrep.vulnerabilities().length < 10
Get scan results for an entity

Get Semgrep scan results for an entity.

Definition: semgrep.scans()

You could write a Scorecard rule to ensure an entity has fewer than 10 scans:

semgrep.scans().length < 10

You could write a rule to ensure an entity has had fewer than 10 new scans in the last week:

semgrep.scans("firstSeen:-1w") <= 10

Still need help?​

The following options are available to get assistance from the Cortex Customer Engineering team:

  • Email: help@cortex.io, or open a support ticket in the in app Resource Center

  • Chat: Available in the Resource Center

  • Slack: Users with a connected Slack channel will have a workflow added to their account. From here, you can either @CortexTechnicalSupport or add a :ticket: reaction to a question in Slack, and the team will respond directly.

Don’t have a Slack channel? Talk with your Customer Success Manager.

Last updated 23 days ago

Was this helpful?

See Semgrep data on an entity's overview.
On an entity, click Code & security > Semgrep to view vulnerability details from Semgrep.