> ## Documentation Index
> Fetch the complete documentation index at: https://docs.pwnbook.app/llms.txt
> Use this file to discover all available pages before exploring further.

# Semgrep

> Run Semgrep SAST scans against connected repositories and pull findings — vulnerabilities, secrets, and supply chain issues — directly into your Pwnbook engagements.

## Overview

Semgrep is a fast, open-source static analysis tool that finds bugs, vulnerabilities, and secrets in code. The Pwnbook Semgrep integration pulls scan findings from your Semgrep deployment into engagements, where you can triage, annotate, and track remediation alongside the rest of your pentest work.

## Prerequisites

* A [Semgrep](https://semgrep.dev) account (Semgrep Team or Enterprise)
* A Semgrep API token with read access to your deployment
* Your Semgrep deployment slug
* Admin or Owner access in Pwnbook to configure the integration

## Credentials required

| Field               | Description                                                                                   |
| ------------------- | --------------------------------------------------------------------------------------------- |
| **API Token**       | A Semgrep API token. Generate one at **Semgrep Settings → Tokens**. Needs `scans:read` scope. |
| **Deployment Slug** | Your Semgrep organization/deployment identifier, visible in the Semgrep dashboard URL.        |

## Setup

<Steps>
  <Step title="Generate a Semgrep API token">
    1. Log in to [semgrep.dev](https://semgrep.dev).
    2. Go to **Settings → Tokens**.
    3. Click **Create new token**.
    4. Give it a name (e.g., `pwnbook-integration`) and select the `scans:read` scope.
    5. Copy the token — you won't be able to see it again.
  </Step>

  <Step title="Find your deployment slug">
    Your deployment slug appears in the URL when you're in the Semgrep dashboard:

    ```
    https://semgrep.dev/orgs/<your-deployment-slug>/...
    ```

    Copy the slug portion.
  </Step>

  <Step title="Configure the integration in Pwnbook">
    1. Go to **Organization Settings → Marketplace → Semgrep**.
    2. Click **Configure**.
    3. Enter your **API Token** and **Deployment Slug**.
    4. Click **Save & Test** to verify the credentials.
  </Step>

  <Step title="Configure per-repository sync settings">
    After connecting, Pwnbook loads a list of repositories from your Semgrep deployment.

    For each repository you want to sync findings from:

    1. Toggle **Visible** to show findings in Pwnbook.
    2. Toggle **Sync Enabled** to pull new findings automatically.
    3. (Optional) Add a **Note** to record context about this repository.
    4. Click **Save**.
  </Step>
</Steps>

## What gets synced

Pwnbook pulls the following data from Semgrep:

| Data                      | Description                                                                                       |
| ------------------------- | ------------------------------------------------------------------------------------------------- |
| **SAST findings**         | Code vulnerabilities identified by Semgrep rules, with file path, line numbers, and column ranges |
| **Secrets findings**      | Exposed credentials, API keys, and tokens detected in code                                        |
| **Supply chain findings** | Vulnerable dependencies and packages                                                              |
| **Severity**              | Critical, high, medium, low, informational                                                        |
| **Rule metadata**         | Rule ID, message, CWE mappings, OWASP category                                                    |
| **Remediation guidance**  | Fix suggestions where available from Semgrep rules                                                |

## Viewing findings in Pwnbook

Synced Semgrep findings appear in the engagement under **Security Findings → Semgrep**. From there you can:

* Filter by severity, type, and repository
* Add internal notes to individual findings
* Link findings to tasks or threat model threats
* Mark findings as resolved, acknowledged, or suppressed

## Refreshing findings

Pwnbook caches findings from Semgrep. To pull the latest:

1. Go to **Organization Settings → Integrations → Semgrep**.
2. Click **Refresh Findings**.

You can also trigger a refresh from within an engagement's findings view.

## Disconnecting

To remove the Semgrep integration:

1. Go to **Organization Settings → Marketplace → Semgrep**.
2. Click **Disconnect**.
3. Confirm the disconnection.

Previously synced findings remain in Pwnbook until manually deleted.
