Introducing Semgrep Connect
SecApps is excited to announce a new feature of our Connect product: Semgrep Connect. Semgrep Connect allows you to connect Semgrep to SecApps Triage, giving you the ability to scan for vulnerabilities and find matches in both products. This provides an efficient way to triage vulnerabilities and speed up your remediation process combined with the power of Semgrep code analysis.
To get started, simply visit SecApps Connect and set up a new integration. Use SecApps Connect hook integration to generate a custom Semgrep ingestion endpoint. Set up the type to Triage because we want to receive all Semgrep reports directly into Triage.
On Semgrep side of things, all you have to do is pass the hook URL to Semgrep --output flag. Don't forget to use --json as well. Here is what the final command looks like:
$ semgrep --output "${SECAPPS_CONNECT_HOOK}" --json ...
You can also provide custom information about which project you are currently scanning by using the `?asset=' query parameter. This is useful if you want to set up multiple integrations with different upstream sources. For example:
$ semgrep --output "${SECAPPS_CONNECT_HOOK}?asset=my-project-name" --json ...
Now, whenever a new scan is run, the Semgrep results will be available in Triage for your inspection. You can use Triage in the same way you would use Semgrep, to filter and group results but also provide other useful automation such as sending notifications to Slack and email.
Semgrep is a great tool for finding code smells and potential security issues in your codebase. However, its usefulness can be limited if you have to manually triage the results. The new SecApps Connect feature solves this problem by integrating Semgrep with SecApps for full 360-degree visibility into your application security.