★Start Free★

Semgrep Pro Tier integration

Integrating with Semgrep Pro Tier

Suggest Edits

Overview

Semgrep Pro Tier integration enables you to use Semgrep's Pro Tier (commercial) Static Code Anaylsis (SAST) and Software Component Analysis (SCA) within Jit's platform.

Activating and disabling Semgrep Pro Tier integration

To activate Semgrep Pro SAST & SCA

  1. From Semgrep's platform, select Settings > Tokens and create a new Agent (CI) token.
  2. From the Jit platform, select Secrets in the menu bar under Settings.
  3. Follow the instructions in Secrets to store this token as a secret called SEMGREP_TOKEN.
  4. Activate the SAST and SCA plan items from the relevant security plan. Go to Security Plans and click it. For example, SAST and SCA are part of Jit MVS for AppSec Plan.
  5. Activate Semgrep's Pro Tier SAST & SCA by adding the following snippet at the bottom of the jit-plan.yml file in your .jit repository, or in the repository where you manage Jit's configurations:
override:
  workflows:
    sca:
      jobs:
        software-component-analysis-semgrep-pro:
          enabled: true
    sast:
      jobs:
        static-code-analysis-semgrep-pro:
          enabled: true
  1. Disable other SAST & SCA jobs to prevent conflicts. Your jit-plan.yml overrides should look as follows:
override:
  workflows:
    sca:
      jobs:
        software-component-analysis:
          enabled: false
        software-component-analysis-go:
          enabled: false
        software-component-analysis-js:
          enabled: false
        software-component-analysis-semgrep-pro:
          enabled: true
    sast:
      jobs:
        static-code-analysis-csharp:
          enabled: false
        static-code-analysis-go:
          enabled: false
        static-code-analysis-java:
          enabled: false
        static-code-analysis-js:
          enabled: false
        static-code-analysis-kotlin:
          enabled: false
        static-code-analysis-python:
          enabled: false
        static-code-analysis-python-semgrep:
          enabled: false
        static-code-analysis-rust:
          enabled: false
        static-code-analysis-scala:
          enabled: false
        static-code-analysis-swift:
          enabled: false
        static-code-analysis-ruby:
          enabled: false
        static-code-analysis-c-cpp:
          enabled: false
        software-component-analysis-semgrep-pro:
          enabled: true

📘

Additional information

  • This code overrides the original Jit configuration by disabling Jit's SAST and SCA tools and enabling Semgrep's Pro Tier.
  • You can add or delete this code any time you want to switch between Semgrep's Pro Tier and Jit's SAST / SCA.
  • To only activate Semgrep's Pro Tier SAST, delete the entire SCA block.
  • To only activate Semgrep's Pro Tier SCA, delete the entire SAST block.

To disable Semgrep's Pro Tier SAST & SCA

Delete the above code from your .jit/jit-plan.yml. This reverts your plan back to Jit's tools for SAST and SCA.

Updated 3 months ago