Semgrep App's Fall 2021 Updates

by Bence Nagy on October 21, 2021

Semgrep App has been completely redesigned and now includes a drag-and-drop UI for configuring rules and notifications. Security teams have more tools to help with remediation, including a finding triage flow and a Jira integration.

In our initial release of Semgrep App, the only feature we included was the ability to run basic sample scanning rules, so you could see Semgrep in action without downloading the tool. Over the past 18 months, it has gained many, many capabilities, and has become an integral part of the workflows of high-performing security teams around the world.

Today, we’re taking a look back at the last few months and highlighting the most requested features we shipped to users.

In case you need a reminder: Semgrep App is an online dashboard that helps your team make the best of Semgrep. It’s free for unlimited users & repositories.

Rule board: configure Semgrep across your organization with 10% the effort

Since Semgrep’s inception, we’ve talked to over a hundred security teams, large and small, about their experience with the Semgrep App dashboard. The most common problem they shared was the complexity of configuring what security issues Semgrep should scan for. This used to be done with a set of “policies“: blobs of configuration that contain any number of links to projects, rulesets, rules, notification channels, and a few more knobs. See a diagram of what this looked like below. This provided endless flexibility, but required users to familiarize themselves with many concepts, and commit to the burden of maintaining complex configuration right off the bat. Open source teams were the most affected by this, as maintainers of one or two repositories had to use the same controls that were designed for enterprises with 1,000+ projects.

Previous policy configuration

This is what an account's configuration looks like with policies.

So we went back to the drawing board and, perhaps inspired by the drawing board itself, created the rule board. The rule board brings all your configuration into one screen. To add or remove a ruleset, just grab a card and drop it elsewhere on the page. Similarly, you can expand rulesets, and drag their individual rules around. This makes it much easier to “downgrade” just one rule of a ruleset to notify, but not block pull requests. Notifications are also configured on this screen, on a per-column basis.

Rule board

This board applies to all projects of your organization. Feel free to add every single rule you’re interested in; Semgrep automatically skips irrelevant rules, such as Java rules on .js files, or Django rules in a project that doesn’t use Django.

Since the control provided by editing policies one by one has been useful for only the largest of organizations, we’ve removed them from the dashboard entirely, and made them an optional paid feature. If you signed up for a free account before September 15, 2021, your account retains its old configuration. Please contact us at support@r2c.dev when you’re ready to upgrade to the rule board and we’ll guide you through the process.

Triaging findings

A key part of any application security workflow is remediation. Semgrep App now helps security teams track the status of findings end-to-end, as well as dismiss false positives forever. (Pro-tip: create a weekly recurring event with your AppSec team to review all new findings together. This helps prevent issues from falling through the cracks, and is a great opportunity for exchanging knowledge.)

Triage findings

Not only is the Triager useful, it also gives you that refreshing Inbox Zero feeling.

Jira integration

To see remediation all the way through, in the Semgrep Team tier you can now create Jira tickets directly from a finding in the above view. When you verify that an issue is legitimate, it takes just one more click to notify the engineering team that a security issue needs to be addressed.

This is the first issue tracker integration we built, and we’re excited to hear how it works for our users in a real life setting. Interested in this feature, but with a different issue tracker, such as GitHub issues or Linear? Let us know in the Semgrep community Slack!

Jira ticket

More improvements

We only highlighted three of our most exciting updates above, but the complete list of improvements is a lot longer. Here are a few other recent highlights:

  • We completely redesigned the dashboard, added a consistent purple color scheme, and a brand-new sidebar.
  • Automatic setup on GitHub projects now supports forked repositories.
  • Closing a GitHub pull request without merging will now mark all its findings as removed. Reopening the pull request will re-introduce the findings on the app.
  • Temporary tokens issued for publishing the results of a local scan now expire after one week.
  • You can now subscribe to a newsletter about our private beta features.
  • Findings can now be filtered by rule severity. Rule severities have been renamed to high, medium, and low.
  • The Registry now uses https://sg.run/ for shorter, shareable links to rules and rulesets.

But wait, there's more

If you also use Semgrep on the command-line, don’t miss the latest updates including a new taint mode, Terraform scanning, and a recent 5x performance boost! Find out more here →