Semgrep

Visualize Semgrep deployments, projects, code findings, secrets, and supply chain vulnerabilities. Map code security findings to projects and repositories, and monitor application security issues through queries and alerts.

Installation

Installation

Semgrep is a static application security testing (SAST) tool that helps you find bugs and enforce code standards. The JupiterOne integration ingests findings, repositories, and rule data from your Semgrep account.

info

You will need a Semgrep API Token with the Web API scope to set up this integration. This requires a Team or Enterprise tier account.

Configuration in Semgrep

To create an API token for JupiterOne:

1. Log in to your Semgrep web application at https://semgrep.dev.
2. Navigate to Settings > Tokens (Admin access required).
3. Create a new API token or edit an existing one.
4. Under Token scopes, ensure Web API is enabled.
   • Tokens with only the Agent (CI) scope cannot access the Web API endpoints required by this integration.
5. Copy the API token for use in JupiterOne configuration.

Required API Access:

The integration uses the following Semgrep API endpoints and requires read access to:

• Deployments (/api/v1/deployments)
• Projects (/api/v1/deployments/{slug}/projects)
• Findings (/api/v1/deployments/{slug}/findings)
• Secrets (/api/v1/deployments/{id}/secrets)
• Supply Chain Vulnerabilities (/api/v1/deployments/{id}/ssc-vulns)

See Semgrep's API documentation for more information about token scopes.

Configuration in JupiterOne

To install the Semgrep integration in JupiterOne, navigate to the Integrations tab in JupiterOne and select Semgrep. Click New Instance to begin configuring your integration.

Creating an instance requires the following:

• The Account Name used to identify the Semgrep account in JupiterOne. Ingested entities will have this value stored in tag.AccountName when the AccountName toggle is enabled.

• Description to assist in identifying the integration instance, if desired.

• Polling Interval that you feel is sufficient for your monitoring needs. You may leave this as DISABLED and manually execute the integration.

• Your Semgrep API Token that was generated in the Semgrep web app.

Click Create once all values are provided to finalize the integration.

Next steps

Now that your integration instance has been configured, it will begin running on the polling interval you provided, populating data within JupiterOne. Continue on to our Instance management guide to learn more about working with and editing integration instances.

Data Model

Entities

The following entities are created:

Resources	Entity _type	Entity _class
Deployment	semgrep_deployment	Organization
Finding	semgrep_finding	Finding
Project	semgrep_project	Resource
Secret	semgrep_secret	Secret
Supply Chain Vulnerability	semgrep_supply_chain_vulnerability	Vulnerability, Finding

Relationships

The following relationships are created:

Source Entity _type	Relationship _class	Target Entity _type
semgrep_deployment	HAS	semgrep_project
semgrep_deployment	HAS	semgrep_finding
semgrep_deployment	HAS	semgrep_secret
semgrep_deployment	HAS	semgrep_supply_chain_vulnerability
semgrep_project	HAS	semgrep_secret
semgrep_project	HAS	semgrep_supply_chain_vulnerability

Types

Semgrep Deployment

semgrep_deployment inherits from Organization

Property	Type	Description	Specifications
displayName *	string
id *	string
name *	string
slug *	string

---

Semgrep Finding

semgrep_finding inherits from Finding

Property	Type	Description	Specifications
categories	array of strings
confidence	string
createdAt	number
firstSeenScanId	number
id *	string
lineOfCodeUrl	string
locationColumn *	number
locationEndColumn *	number
locationEndLine *	number
locationFilePath *	string
locationLine *	number
matchBasedId *	string
ref	string
relevantSince	number
repositoryName	string
repositoryUrl	string
ruleMessage *	string
ruleName *	string
severity *	string
sourcingPolicyId	string
sourcingPolicyName	string
sourcingPolicySlug	string
state *	string
stateUpdatedAt	number
syntacticId *	string
triageComment	string
triagedAt	number
triageReason	string
triageState *	string

---

Semgrep Project

semgrep_project inherits from Resource

Property	Type	Description	Specifications
displayName *	string
id *	string
name *	string

---

Semgrep Secret

semgrep_secret inherits from Secret

Property	Type	Description	Specifications
confidence	string
createdAt	number
externalTicketExternalSlug	string
externalTicketUrl	string
findingPath	string
findingPathUrl	string
id *	string
mode	string
ref	string
refUrl	string
repositoryName	string
repositoryScmType	string
repositoryUrl	string
repositoryVisibility	string
ruleHashId	string
severity	string
status	string
type	string
updatedAt	number
validationState	string

---

Semgrep Supply Chain Vulnerability

semgrep_supply_chain_vulnerability inherits from Vulnerability, Finding

Property	Type	Description	Specifications
advisoryCreatedOn	number
closestSafeDependencyName	string
closestSafeDependencyVersion	string
createdOn	number
cveIds	array of strings
cweIds	array of strings
dependencyFileLocationPath	string
dependencyFileLocationUrl	string
description	string
displayName *	string
ecosystem	string
exposureType	string
firstTriagedAt	number
groupKey *	string
matchedDependencyName	string
matchedDependencyVersion	string
name *	string
owaspIds	array of strings
packageManager	string
repositoryId	string
repositoryName	string
ruleId	string
severity *	string
subdirectory	string
transitivity	string
triageDismissReason	string
triageIssueUrl	string
triagePrUrl	string
triageStatus	string
urls	array of strings

---