Ensure that your infrastructure meets all Prerequisites before deploying Semgrep.
Confirm deployment scope
Decide how broadly your organization will deploy Semgrep. The more users and repositories you onboard, the more important training becomes for security champions and other users who help manage findings. Confirm the following:- Which users and departments will use Semgrep.
- Which repositories Semgrep will scan. For monorepos, also plan for scan duration.
- How frequently scans will run, and at what time if you use scheduled scans. Scan timing can affect other processes, such as PR approvals.
- Whether scans will run on a schedule, in CI, through Managed Scans, or a combination of these methods.
- The expected timeframe for deployment. Whether the deployment will happen all at once or in phases.
Identify stakeholders
For medium-to-large teams, typically with more than 10 developers, coordinating with other departments before starting the deployment is crucial to an efficient roll-out. A complete deployment helps ensure that your licenses are fully used. Identify the teams that need to participate in the deployment. Depending on your organization, this can include:| Team | Common responsibilities |
|---|---|
| Infrastructure | SSO, CI/CD, and source code manager (SCM) configuration. |
| Engineering | Repository ownership, displaying findings to developers in PRs or MRs. |
| IT | Firewall, virtual private network (VPN), and network access configuration. |
Assign Semgrep roles
Decide which users need access to Semgrep AppSec Platform. Semgrep provides three primary roles: Admin, Member, and Readonly. Organizations using Teams can also assign the Manager role for project-level access control. See Manage user roles for more information. For single-user deployments, you are the sole Admin of your deployment. For multi-user deployments, identify:- Which users will administer the deployment.
- Which users need member access.
- Which sign-in method members will use, such as SSO, GitHub Cloud, or GitLab Cloud.
Review permissions and access
Confirm that your organization has the access needed for the features you plan to enable.| Feature | Permission required |
|---|---|
| Run Semgrep continuously in your CI workflows |
|
| Run Semgrep continuously without changing your CI workflows | Grant read access to user-selected repositories. |
| Manage user authentication with SSO | View and edit SSO configurations. |
| Receive Slack notifications | Be a Slack workspace owner, or coordinate with the team responsible. |
| Send PRs or MRs to your SCM | Edit firewall or VPN allowlists for self-hosted repositories. |
Review network requirements
If your organization uses a firewall, VPN, self-hosted SCM, or other network restrictions, confirm that Semgrep can connect to the systems it needs. You might need to configure:- Ingress allowlists.
- Egress allowlists.
- CloudFront egress IP addresses.
- Semgrep Network Broker.
- Access for PR or MR comments, Managed Scans, and Semgrep Multimodal.
Confirm version and session requirements
Confirm that your Semgrep CLI version is supported before deployment. Many improvements to the Semgrep AppSec Platform experience only work with up-to-date Semgrep CLI versions. Semgrep AppSec Platform supports the 10 most recent minor versions of Semgrep CLI. For example, if the latest release is 1.60.0, all versions greater than 1.50.0 are supported, while earlier versions, such as 1.49.0, can result in failures. To update Semgrep, see Update Semgrep. Docker users should use the latest tag to stay up to date.Review session requirements
Semgrep AppSec Platform session details:- The time before you need to reauthenticate is 7 days.
- Session tokens are valid for 7 days.
- This session timeout is not configurable.
- Semgrep AppSec Platform does not use cookies; it uses
localStorageto store access tokens. Data inlocalStorageexpires every 7 days.
Next steps
After you complete this checklist, continue with the setup guide for your deployment method. Common next steps include:- Connect your SCM
- Configure SSO
- Set up Semgrep in CI
- Enable PR or MR comments
- Configure notifications
- Add users and assign roles