Semgrep Assistant overview
Semgrep Assistant provides AI-powered security recommendations to help you review, triage, and remediate your Semgrep findings.
 Figure. Semgrep Assistant detects the use of untrusted, unsanitized data.
Figure. Semgrep Assistant detects the use of untrusted, unsanitized data.
Support and availability
Semgrep Assistant:
- Primarily supports findings generated by Semgrep Code
- Supports the same languages as Semgrep Code
- Is available to users of the following source code managers (SCMs):
- Azure DevOps Cloud
- Bitbucket Cloud Premium and Bitbucket Data Center
- GitHub Cloud and GitHub Enterprise Server (self-hosted)
- GitLab, including SaaS and self-managed plans
 
- Requires the Semgrep AppSec Platform for its use
Features
Remediation
Semgrep Assistant can provide remediation advice and autofixes, or suggested fixes, for Semgrep Code findings.
Guidance
With Assistant enabled, every PR or MR comment Semgrep pushes includes remediation guidance with information on fixing the issue. Assistant's remediation guidance provides step-by-step instructions on how to remediate the finding identified by Semgrep Code.
 Figure. PR comment displaying the rule message followed by a comment that contains Assistant-generated remediation guidance.
Figure. PR comment displaying the rule message followed by a comment that contains Assistant-generated remediation guidance.
Semgrep also displays remediation information on Semgrep AppSec Platform's Findings page under Your code & fix in the finding's details page.
 Figure. Findings detail page with the Your code & fix section displaying the suggested fix.
Figure. Findings detail page with the Your code & fix section displaying the suggested fix.
Semgrep only waits for a limited amount of time for Assistant guidance before posting a PR or MR comment, since comments are time-sensitive. If guidance is missing from the PR or MR comment because it was not yet available, it should still be present on Semgrep AppSec Platform's Findings page for the finding.
Autofix
Semgrep Assistant can suggest autofix code snippets for Semgrep Code findings when it identifies a true positive. Assistant only suggests an autofix if the rule doesn't have a human-written autofix. You can set the minimum autofix confidence level required to display autofix suggestions from Semgrep Assistant on Semgrep AppSec Platform's Settings page. To receive as many Assistant suggestions as are available, set the minimum to low confidence.
Assistant customizes the code snippets it provides based on previous feedback, if any, and your rule customizations. For example, if you have a custom rule recommending a specific sanitizer, Assistant can recommend its use in the autofix suggestion for the issue in your code.
Autofixes are available in PR and MR comments, so developers can review and verify Semgrep's generated fixes before applying them.
 Figure. Semgrep Assistant generates a potential fix in a PR comment.
Figure. Semgrep Assistant generates a potential fix in a PR comment.
Autofixes are also available on Semgrep AppSec Platform's Findings page under Assistant suggested fix in the finding's details.
 Figure. Semgrep Assistant showing a potential fix in Semgrep AppSec Platform.
Figure. Semgrep Assistant showing a potential fix in Semgrep AppSec Platform.
If many new issues are found in a given scan, Assistant auto-triage and autofix may not run on every issue.
Component tags
Component tags use AI to categorize a finding based on its function, such as:
- Payments
- User authentication
- Infrastructure
By categorizing your code through component tags, Semgrep Assistant can help you prioritize high-risk issues, such as remediating a code finding related to payments or user authentication.
Component tags can be viewed in Semgrep AppSec Platform's Findings page.
 Figure. Semgrep AppSec Platform's Findings page showing the Component filter.
Figure. Semgrep AppSec Platform's Findings page showing the Component filter.
Auto-triage
Semgrep Assistant uses AI's understanding of programming languages and libraries, and your code and triage history, to auto-triage findings and suggest whether a finding can safely be ignored. For every recommendation to ignore a finding, Semgrep also provides guidance with an explanation on why this is the case.
Auto-triage recommendations are available in Semgrep AppSec Platform's Findings page when you filter for findings that Assistant suggests should be ignored, and in the finding's details.
 Figure. Semgrep Assistant auto-triage in the Findings page.
Figure. Semgrep Assistant auto-triage in the Findings page.
Assistant's suggestions to ignore findings are also surfaced in PR or MR comments, so developers can triage an issue directly without leaving their PR or MR.
Weekly priority emails
Semgrep sends weekly emails with information on Assistant's top three backlog tasks across all findings. Unlike other Assistant features, these suggestions can include information for all Semgrep products that you have enabled. The emails are sent out on Monday to all organization admins.
Noise filtering (beta)
Noise filtering increases developer velocity by reducing interruptions from potential false positives. With Noise Filtering, Assistant evaluates each finding to determine if it's a true positive using additional context. If Assistant thinks a finding may be a false positive, it prevents a PR comment from being posted in the developer workflow.
Security teams can review filtered findings at any time on Semgrep's Code > Pre-production page. Semgrep also allows you to agree or disagree with the filtering. If you agree with the suggestion, Semgrep closes the finding, but if you disagree, Semgrep reopens the finding.
Assistant is over 95% accurate in categorizing Semgrep Code findings as false positives.
Memories
Assistant Memories allows AppSec teams and developers to tailor Assistant's remediation guidance to their organization's standards and defaults on a per-project, per-rule basis. When Assistant gives a suggested fix, you can provide feedback by adding custom instructions.
For example, if the code contains a hardcoded secret, Assistant might suggest using an SDK that handles credentialing. However, if your company prefers to use a different secrets manager, you can provide this information to Assistant. Assistant then generates remediation guidance that works with your specific secrets manager in the future.
Custom rules editor (beta)
Semgrep Assistant can help you write custom rules to find patterns and vulnerabilities specific to your codebase. The only information you need to provide is a prompt describing what you want the rule to do in English. However, if you provide an example of bad code and an example of good code, Semgrep uses this information for you to test the generated rule and provide context to the language model (LLM).
Upgrade guidance (beta)
Semgrep Supply Chain's dependency upgrade guidance uses AI to analyze if a finding can be safely upgraded or if upgrading the package can cause breaking changes. Semgrep's click to fix capability can then create a PR to upgrade the package.
Read more about Upgrade guidance and Click to fix.
Reliability
Assistant supports fallback between model providers to ensure optimal performance and reliability. OpenAI is the primary provider in most cases, with automatic fallback to AWS Bedrock as needed. Semgrep's fallback decisions are based on an internal ranking system informed by ongoing research. Semgrep ranks models by performance and dynamically selects the best available from your enabled options.
Enabling additional model providers for your Semgrep organization can improve performance in some scenarios, while removing them could result in reduced performance.
Not finding what you need in this doc? Ask questions in our Community Slack group, or see Support for other ways to get help.