• Semgrep AppSec Platform
• Secure guardrails

Dashboard

The Semgrep dashboard is an overview of your organization’s security posture based on data aggregated within Semgrep AppSec Platform. It helps you:

• Evaluate your AppSec program, enabling you to know your current security risk.
• Assess the deployment and adoption of secure guardrails to your organization.
• Become aware of trends and opportunities that you can use to improve your security posture.
• Quickly filter data granularly for all the charts on the page and view priority findings.
• Export the information as a PDF report.

Dashboard overview

The dashboard is divided into several sections:

Section	Description
Reporting summary top bar	Sets the filters for all the data in the page.
Production backlog	Displays data about all the findings detected in your primary or default branch and helps you answer the following questions: How is my security posture doing over time? Is my backlog decreasing or increasing? Is the team addressing findings faster than new findings are coming in?
Secure guardrails	Displays data relevant to the deployment and adoption of secure guardrails. It helps address the following: How many vulnerabilities did Semgrep prevent from entering production over time? Am I effectively introducing guardrails to my developers? Of the issues shown to developers, are they being fixed, or are they being ignored?
Most findings by project	Lists projects arranged by most open findings to least, grouped by product or severity. Helps answer the following: Which of my projects have the most findings in a particular product area? Which of my projects have the most findings for a particular severity?
Median open age	A graph showing the middle age of all Open findings, grouped by product or severity. Half of the open findings are older than this age, and half are newer. Helps you answer: What is the amount of time a finding remains open, by product or by severity?

tip

Use the filters to quickly generate views for a single Semgrep product or all products.

When viewing data for a single Semgrep product, you can't group by product in Most findings by project and Median open age.

Export reports

To generate reports from the current view, click Dashboard > Download.

Triage states

The following triage states are displayed:

• Open
• Ignored, including provisionally ignored
• Fixed

Additional triage states, such as Fixing or Reviewing, are not displayed at this time.

Filters and configuration

Use the filters to gain a top-level view or zoom in to a single product, specific period of time, or other slice of data. Create quarterly overviews or recent incident statements for various AppSec stakeholders.

Configurations set here apply to the entire page.

The following quick filters are visible on the page:

• Time period
• Semgrep product or type of scan (SAST, SCA, or Secrets)
• Project (a repository or a subfolder of a monorepo)
• Recommended priority toggle

info

• By default, the Dashboard displays data for projects that members or managers have access to. Admins can view findings from all the projects in the organization. See the Teams documentation for more information.
• It can take up to a day (24 hours) for the Dashboard to correctly update and remove findings if you have recently deleted a project.

To access all filters:

1. Click All filters to open the filter drawer.
2. Turn off the Recommended priority toggle.

This displays the following filters in the filter drawer:

• Severity
• Confidence
• Reachability
• Validation
• Time period
• Product
• Project
• Tags
• Teams

Recommended priority

This refers to any finding that is Critical or High severity in addition to being:

• High confidence - if the finding is from Semgrep Code.
• Reachable - if the finding is from Semgrep Supply Chain.
• Valid - if the finding is from Semgrep Secrets.

By default, Recommended priority filters are enabled.

If you choose to turn off recommended priority filters, all findings are displayed.

Production backlog

This pane displays analytics related to findings detected in your primary or default branch. This typically means that the finding, usually a security issue, has made it to production environments.

Key metrics

Key metrics	Description
Total opened	Total number of findings set to Open during the time period. This includes new findings as well as re-opened findings that were previously in a different state.
Total fixed	Total number of Fixed findings during the time period that remained fixed until the end of the time period.
Total ignored	Total number of Ignored findings during the time period that remained ignored until the end of the time period. Ignored findings includes those with a status of Provisionally ignored.
Total net new	The difference between the number of Open findings at the beginning of the time period and the end of the time period.

tip

A low or negative value for Total net new is ideal. It indicates that, within the period, more findings are being triaged or resolved than opened. This reduces the backlog of security issues.

Charts

Chart	Description
Open backlog	This tracks the total findings from each scan and displays them. Lower values are better. Hover over the chart to see a breakdown of findings by product for the selected time period.
Backlog activity	Displays the number of new, net new, fixed, and ignored, including provisionally ignored, findings. A greater Fixed value is better. Hover over the chart to see a breakdown of findings by triage state for that selected time period.

Secure guardrails

This provides an overview of how secure guardrails in PR or MR comments are used in your organization, including how often Semgrep shows findings to developers, how the developers handle the findings, and how often Semgrep flags a finding as provisionally ignored.

Other guardrail interfaces, such as the IDE or pre-commit, are not counted in this section.

Key metrics

Key metrics	Description
Findings shown to devs	Number of findings shown to developers in PR or MR comments (the numerator) against the total findings count (denominator). An upward or stable trend is better.
Findings fixed in development	Number of findings that were fixed before they could be detected in a default branch or production backlog (numerator) against the total findings count in the specified time period (denominator). An upward or stable trend is better. Hover over the chart to see a breakdown of findings by triage state for that selected time period.

Charts

Chart	Description
Secure guardrails adoption	Percent of new findings shown to developers over the specified time period. An upward or stable trend is better.
Guardrails activity	This chart displays a breakdown of the status of findings shown to developers; whether they were ignored, provisionally ignored, fixed, or remained open. A greater Fixed value is better. Hover over the chart to see a breakdown of findings by triage state for that selected time period.

Most findings by project

A table listing projects from most open findings to least, grouped by product or severity. Lower values are better.

tip

It is recommended to prioritize triage and remediation for the top projects listed in this table, especially if the priority filters are enabled.

Median open age

A chart displaying the median open age of a finding in days over the specified time period. Lower is better.

For a finding to be remediated, it must have any of the following statuses:

• Fixed
• Ignored, including provisionally ignored

---

Not finding what you need in this doc? Ask questions in our Community Slack group, or see Support for other ways to get help.