Semgrep
StackHawk’s official Semgrep integration.
Overview
StackHawk with Semgrep helps teams find security issues in proprietary code before they hit production. View your Semgrep findings, including the line of code, alongside your HawkScan findings. Teams use Semgrep to show where there may be a vulnerability then confirm it is exploitable and validate with a StackHawk HawkScan. Correlating the two scan result sets immediately prioritizes issues for developers and enables them to confirm, reproduce and fix them quickly and efficiently.
Features
- As part of HawkScan runs, automatically link HawkScan Findings with Semgrep Issues
- In the Finding Details view, a Semgrep tab shows issue details with links to Semgrep for further information
StackHawk Requirements
You must have one of the following StackHawk account types to use the Semgrep Integration:
- Pro
- Enterprise
- Enterprise Trial
Semgrep Requirements
- Your Semgrep account must include valid Semgrep projects with scan results.
- Your Semgrep API token must have Web API permission without limited scopes of access. Create or manage API tokens by navigating to Settings > Tokens in Semgrep.
Setup
- Log in to StackHawk and navigate to the Semgrep Integration page.
- Click Enable Semgrep.
- In the
Connect To Semgrepmodal:- Enter your Semgrep API Token with Web API permission and click Connect.
- In the Configure Semgrep Integration modal:
- Select your Semgrep Organization from the dropdown.
- Select the Semgrep Project you want to connect.
- Select the StackHawk Application you want to map to the Semgrep Project and click Save Mapping.
- On the Semgrep Integration page in the StackHawk Platform, the Connected Projects list shows the connected Semgrep Project and Application.
Configuration
You can add and delete Connected Projects in Semgrep Integration
Usage
Once Semgrep Integration is installed, the Semgrep logo will appear throughout StackHawk when there is a Semgrep connection. When a StackHawk Application and a Semgrep Project are connected, HawkScan will link its Findings with correlated Semgrep Issues for all Environments in the given Application.
Application Badging
Applications mapped to a Semgrep project will have the logo under the name of the Application.
Scan and Finding List Badging
When viewing the Scan list or the list of Findings on a specific scan, a SAST column will be present. If this column has the Semgrep logo, this means that there is a linked Semgrep Issue.
Scan List
The Scan list shows which scans have linked Semgrep issues.
Finding List
The Finding list shows which findings have linked Semgrep issues.
Finding Details Semgrep Tab
When looking at the details of a specific Finding that has a linked Semgrep Issue, the Semgrep tab will be displayed. It will have details on the Semgrep Issues, with links to Semgrep for more information.
Note that the Semgrep tab in Finding Details will show at most 15 instances of the found Semgrep Issue.
TroubleShooting
If you are having problems setting up Semgrep with StackHawk, please verify that your Semgrep API token has Web API permission without limited scopes.
If your scan results aren’t showing any linked Semgrep Issues and you are expecting them to, make sure you have connected a StackHawk Application and Semgrep Project in the Semgrep Integration.
Semgrep Issues will only be linked for scans run when an Application and Project are connected, there is no way to retroactively link past scans with Semgrep issues.
Currently, it’s not possible to select a single Environment under an Application to map to a Semgrep Project. Mappings are done at the Application level and so all scans for all Environments in that Application will get Findings linked with Semgrep Issues.
Feedback
Have any suggestions, feature requests, or feedback to share? Contact StackHawk Support .