Skip to main content
Before you deploy Semgrep, use this checklist to confirm that your organization is ready to begin setup. You should know which repositories you want to scan, which users and teams need access, which Semgrep features you plan to enable, and who owns the systems required for deployment.
Ensure that your infrastructure meets all Prerequisites before deploying Semgrep.

Confirm deployment scope

Decide how broadly your organization will deploy Semgrep. The more users and repositories you onboard, the more important training becomes for security champions and other users who help manage findings. Confirm the following:
  • Which users and departments will use Semgrep.
  • Which repositories Semgrep will scan. For monorepos, also plan for scan duration.
  • How frequently scans will run, and at what time if you use scheduled scans. Scan timing can affect other processes, such as PR approvals.
  • Whether scans will run on a schedule, in CI, through Managed Scans, or a combination of these methods.
  • The expected timeframe for deployment. Whether the deployment will happen all at once or in phases.
Deployment timelines vary based on organization size, how many repositories you onboard, and whether you roll out in phases.

Identify stakeholders

For medium-to-large teams, typically with more than 10 developers, coordinating with other departments before starting the deployment is crucial to an efficient roll-out. A complete deployment helps ensure that your licenses are fully used. Identify the teams that need to participate in the deployment. Depending on your organization, this can include:
TeamCommon responsibilities
InfrastructureSSO, CI/CD, and source code manager (SCM) configuration.
EngineeringRepository ownership, displaying findings to developers in PRs or MRs.
ITFirewall, virtual private network (VPN), and network access configuration.

Assign Semgrep roles

Decide which users need access to Semgrep AppSec Platform. Semgrep provides three primary roles: Admin, Member, and Readonly. Organizations using Teams can also assign the Manager role for project-level access control. See Manage user roles for more information. For single-user deployments, you are the sole Admin of your deployment. For multi-user deployments, identify:
  • Which users will administer the deployment.
  • Which users need member access.
  • Which sign-in method members will use, such as SSO, GitHub Cloud, or GitLab Cloud.

Review permissions and access

Confirm that your organization has the access needed for the features you plan to enable.
FeaturePermission required
Run Semgrep continuously in your CI workflows
  • Add or change CI jobs, including committing configuration files for each repository.
  • Define environment variables and store secrets.
Run Semgrep continuously without changing your CI workflowsGrant read access to user-selected repositories.
Manage user authentication with SSOView and edit SSO configurations.
Receive Slack notificationsBe a Slack workspace owner, or coordinate with the team responsible.
Send PRs or MRs to your SCMEdit firewall or VPN allowlists for self-hosted repositories.
For SCM roles, token scopes, and setup steps by provider, see SCM permissions.

Review network requirements

If your organization uses a firewall, VPN, self-hosted SCM, or other network restrictions, confirm that Semgrep can connect to the systems it needs. You might need to configure:
  • Ingress allowlists.
  • Egress allowlists.
  • CloudFront egress IP addresses.
  • Semgrep Network Broker.
  • Access for PR or MR comments, Managed Scans, and Semgrep Multimodal.
For more information, see Network access and allowlists.

Confirm version and session requirements

Confirm that your Semgrep CLI version is supported before deployment. Many improvements to the Semgrep AppSec Platform experience only work with up-to-date Semgrep CLI versions. Semgrep AppSec Platform supports the 10 most recent minor versions of Semgrep CLI. For example, if the latest release is 1.60.0, all versions greater than 1.50.0 are supported, while earlier versions, such as 1.49.0, can result in failures. To update Semgrep, see Update Semgrep. Docker users should use the latest tag to stay up to date.

Review session requirements

Semgrep AppSec Platform session details:
  • The time before you need to reauthenticate is 7 days.
  • Session tokens are valid for 7 days.
  • This session timeout is not configurable.
  • Semgrep AppSec Platform does not use cookies; it uses localStorage to store access tokens. Data in localStorage expires every 7 days.

Next steps

After you complete this checklist, continue with the setup guide for your deployment method. Common next steps include: See How to introduce Semgrep to your organization from Trail of Bits for tips on how to evaluate and deploy Semgrep for your org.