View findings' details

The finding's details page displays in-depth information about the finding, including:

A detailed description of the finding
Rule details, including the rule pattern itself, the vulnerability class, and identifiers such as the CWE ID
Finding details, such as when the finding was identified, the project and branch name, and commit ID where the issue was introduced
The code snippet where the issue was identified, along with a link to the source code where Semgrep identified the issue
Suggested fixes for the issue, either generated by Semgrep Assistant or from the rule itself
Activity history for the finding, including when it was first identified, whether it has been analyzed by Semgrep Assistant, whether there are any accompanying Jira tickets, notes written by other Semgrep users specifically about this finding, and more.

View a finding's details

Log in to Semgrep AppSec Platform.
In the Navigation bar, click Code.
Identify the finding whose details you want to view:
- If the default Group by Rule is enabled, click the Details icon on the card of the finding.
- If the No grouping view is enabled, click the header hyperlink on the card of the finding.

Semgrep Assistant’s rule and analysis explanation

When Semgrep Assistant is enabled and classifies a finding as a true or false positive, an alert appears at the top of the finding’s details page. You can also view a detailed explanation that, if applicable, includes steps to exploitability in the Finding description tab.

For true positives, the detailed explanation includes a summary and rationale for why the finding was flagged. It draws on the code that matched the rule pattern and the surrounding code to provide context for the rule message. For security-related rules, it also explains how the finding relates to the rule’s threat model.

For false positives, the explanation contains only Assistant’s reasoning, without additional code context. Some explanations refer to memories, which Assistant uses to determine whether a finding is a false positive. However, memories are not used when generating the explanation itself.

If Assistant flags a finding as a false positive, you can provide feedback by selecting Agree and Ignore or Disagree.

Dataflow traces

Dataflow traces allow you to visualize the path of tainted, or untrusted, data in findings. This path can help you track the sources and sinks of the tainted data as they propagate through the body of a function or a method. For general information about taint analysis, see Taint tracking.

View dataflow traces

Prerequisite

Not all Semgrep rules or rulesets make use of dataflow traces, or taint tracking. Ensure that you have a ruleset, such as the default ruleset added in your Policies page. If this ruleset is not added, go to https://semgrep.dev/p/default, and then click Add to Policy. You can add rules that use taint tracking from Semgrep Registry.

To view the detailed path of tainted data with dataflow traces:

Log in to Semgrep AppSec Platform, and click Code in the Navigation Bar to view your findings.
Select the finding you're interested in, then do one of the following actions:
- If the default Group by Rule is enabled, click View details icon on the card of the finding.
- If No grouping view is enabled, click the header hyperlink on the card of the finding. In the example screenshot below, the link is titled tainted-sql-string.
In the section titled Your code, you can see the source, traces, and sink of the tainted data. Clicking on a specific line in the trace will highlight it in the context of the file, while clicking on the file name at the top of the right pane will take you directly to that file in your source code manager, such as GitHub or GitLab.

Available actions on the finding details' page

Click on the kebab icon to see the menu that includes the following options:

Mark as reviewing to change its status to Reviewing and flag the finding as one that is under further manual review
Copy file path of the source code where Semgrep identified the issue
Copy link to the finding's details page

Scan with Assistant

If the finding hasn't been analyzed by Assistant, click the Analyze button to begin analysis. Assistant can:

Recommend whether the finding should be fixed or ignored
Provide remediation guidance and generate a recommended code fix, if appropriate
Tag the finding with a component tag, such as auth or payments.

Ignore the finding

Click Ignore... to ignore the finding. Provide an Ignore reason, and add Comments on why you think that this finding should be ignored.

If the file for the finding in question is a test file or something similar, you can choose the Ignore files in future scans... option, then select the file. Semgrep ignores the file in subsequent scans.

Click Ignore to proceed.

Fix the finding

Click Fix see the menu that includes the following options:

View the associated Jira ticket, if available
Open a PR that fixes the issue, if possible
Change the status of the issue as To fix, indicating that you plan to return to the finding in the future

Semgrep automatically marks findings as fixed when they're no longer detected in subsequent scans.

Add notes to findings

To add notes to the activity history of a finding:

Select a finding where you want to view details or add notes, and then do one of the following actions:
- If the default Group by Rule is enabled, click Details icon on the card of the finding.
- If No grouping view is enabled, click the header hyperlink on the card of the finding.
Go to the Activity section, then click New note.

Not finding what you need in this doc? Ask questions in our Community Slack group, or see Support for other ways to get help.

View a finding's details​

Semgrep Assistant’s rule and analysis explanation​

Dataflow traces​

View dataflow traces​

Available actions on the finding details' page​

Scan with Assistant​

Ignore the finding​

Fix the finding​

Add notes to findings​