We often hear from AppSec professionals that the pains of setting up, deploying, and maintaining code scanning infrastructure are a major resource drain. Semgrep already integrates with popular CI/CD systems, but onboarding isn’t truly great until it’s hands-free.
In light of this, we’re excited to announce the expansion of Semgrep Managed Scanning. It now includes both GitLab.com and GitLab Self-Managed, in addition to our existing support for GitHub.com and GitHub Enterprise.
Rapidly roll out Semgrep across all repositories in your GitLab Groups
Since the initial launch of Semgrep Managed Scanning for GitHub users, we’ve seen hundreds of users successfully onboard tens of thousands of repositories for automated, effortless scanning. This has helped users quickly move onto higher priority AppSec tasks: building systems to prioritize the highest signal findings and guardrailing developers onto secure defaults.
Now available in public beta, Semgrep Managed Scanning for GitLab brings the same functionality to users with GitLab-hosted repositories. During our private beta, multiple customers that were currently set up to run Semgrep in CI were able to transition and onboard multiple repositories seamlessly over to Managed Scanning – immediately freeing them from the time-consuming overhead of managing CI pipelines.
Figure 1: Managed Scanning is now available for both GitHub and GitLab
Recap: how Semgrep Managed Scanning works
Semgrep Managed Scanning for GitLab automatically connects to the repositories in your GitLab Group when given an access token with the right permissions. Afterwards, Semgrep establishes the necessary GitLab webhooks, which configure and manage scans across all your repositories.
Figure 2: Semgrep will prompt for your personal or group access token in order to configure scans
Rather than require a Semgrep job or workflow to your CI/CD pipeline, Semgrep will use webhooks to synchronize your repositories and configure scans. Everything is run on the platform’s infrastructure, eliminating the need for internal servers or compute resources from your end
Figure 3: Configuring scan settings on the project settings page
Once enabled, Semgrep Managed Scanning automatically runs full scans weekly and diff scans on every pull request. You can also manually trigger a full scan directly from the UI at the click of a button, available to you at the project’s settings page. Semgrep findings presented as merge request comments are determined based on Semgrep policy settings across “Monitor,” “Comment,” or “Blocking” modes.
To perform the scan and return findings, Semgrep’s infrastructure creates an ephemeral copy of the project’s source code. Once the scan is completed, findings are sent to Semgrep AppSec Platform, and the copy of source code is automatically deleted. If you’ve configured any rules to send findings as comments in merge requests, findings also will appear there.
In summary, you can now leverage the power of Semgrep Managed Scanning for GitLab in addition to GitHub: config-free setup, automated configuration, and effortless scanning.
Want to try Semgrep managed scanning? Check out our docs to get started today or book a demo!
