• Semgrep Code
• Semgrep AppSec Platform

Triage and remediate findings

This article shows you how to manage and triage identified by Semgrep Code using Semgrep AppSec Platform. The specific actions available to you when managing your findings include:

• Fixing the issue detected. This is Semgrep's primary goal. If the rule produces a true positive finding, such as a security issue, developers must change or address the code so that the rule no longer matches it.
• Triaging the finding. Deprioritize a finding if it's not helpful or important through triage. Triage actions include ignoring and reopening a previously ignored finding. Triaging a finding to ignore is one method to handle false positives without changing a rule or your code.
• Removing the rule or code that generated the finding. There are cases where Semgrep scans a file it should ignore or scans the file with an irrelevant rule. You can disable the rule from the Policies page or add the file to the ignore list.

Semgrep Assistant

If you have Semgrep Assistant enabled, you receive AI-powered security recommendations to help you review, triage, and remediate your Semgrep findings:

• Remediation advice shown in Semgrep AppSec Platform, including:
  • Guidance with step-by-step instructions on how to remediate the finding identified by Semgrep Code in every pull request or merge request comment Semgrep pushes
  • Autofixes, or suggested code fixes
• Component tagging to help identify high-priority issues

Semgrep Assistant can also auto-triage findings, suggest whether a finding can safely be ignored, and filter out potential false positives to help increase developer velocity.

Triage statuses

Triage is the prioritization of a finding based on policies or criteria set by your team or organization, such as severity, coding standards, business goals, and product goals.

Semgrep AppSec Platform uses the logic specified in the table below to automatically mark findings as either fixed or removed when they are no longer present in the code. Additionally, Semgrep can automatically mark findings as provisionally ignored based on AI analysis, validation results, and reachability analysis.

You can manually Ignore findings or set them as To fix or Reviewing in Semgrep AppSec Platform directly through triage or bulk triage actions.

The triage statuses are as follows:

Status	Description
Open	Findings are open by default. A finding is open if it was present the last time Semgrep scanned the code and has not been ignored. An open finding represents a match between the code and a rule enabled in the repository. Open findings require action, such as rewriting the code to eliminate the detected vulnerability.
Reviewing	Indicates that the finding requires investigation to determine what the next steps in the triage process should be.
Provisionally ignored	Findings that Semgrep Assistant has flagged as false positives. You can change the status to Ignored if you agree with Assistant's assement. Otherwise, you can change the status to To fix if you disagree.
To fix	Findings that you have decided to fix. Commonly used to indicate that these findings are tracked in Jira or assigned to developers for further work.
Fixed	Fixed findings were detected in a previous scan but are no longer detected in the most recent scan of that same branch due to changes in the code.
Ignored	Findings marked as ignored are present in the code but have been labeled unimportant. Ignore false positives or deprioritized issues. Mark findings as ignored through Semgrep AppSec Platform or by adding a nosemgrep code comment. You can also provide a reason for ignoring a finding: False positive, Acceptable risk, No time to fix.
Closed	Vulnerabilities that are no longer detected after a scan. This can be due to changes in the underlying rule or the code.

Removed findings

Findings can also be removed. Semgrep considers a finding removed if it is not found in the most recent scan of the branch where Semgrep initially detected it due to any of the following conditions:

• The rule that detected the finding isn't enabled in the policy anymore.
• The rule that detected the finding was updated in a way that it no longer detects the finding.
• The file path where the finding appeared is no longer found. The file path was deleted, renamed, added to a .semgrepignore file, added to a .gitignore file, or added to the list of ignored paths in Semgrep AppSec Platform.
• For GitHub organization accounts: the pull request or merge request where the finding was detected has been closed without merging.

Your removed findings do not count toward the fix rate or the number of findings. The removed findings also do not appear in Semgrep AppSec Platform.

Triage behavior across refs and branches

• When you triage a finding as ignored, reviewing, fixing, or reopened, Semgrep always triages across other branches and Git references (refs).
• At scan time, there's automatic triaging that occurs in specific cases, and the behavior changes depending on the type of scan:
  • Full scans: if the current branch includes a finding that was
    • Previously introduced in another branch and
    • Triaged to a specific state
      Then the finding in the current branch is triaged to that same state.
  • Diff-aware scan: findings introduced in a diff-aware scan are not automatically triaged at scan time, even if there are other instances of that finding on branches that have been triaged.

Triage and remediation

The following sections show you how to manage your findings by:

• Fixing the underlying code
• Disabling a rule or a ruleset
• Ignoring a finding
• Reopening a finding

Note that some actions, such as ignoring and reopening findings, require different steps based on whether you have chosen Group by Rule or No Grouping when viewing your results on the Findings page.

Fix a finding

To fix a finding, update or refactor the code so that the Semgrep rule pattern no longer matches it.

Review provisionally ignored findings

If you have Semgrep Assistant enabled, review the findings that have been provisionally ignored. These are findings that Semgrep Assistant has flagged as false positives. For each finding, you can change the status to Ignored if you agree with Assistant's assement. Otherwise, you can change the status to To fix if you disagree.

Findings with a status of provisionally ignored block pull requests and merge requests if the matching rule is included in a blocking policy.

Ignore findings

To handle false positives without changing the rule or your code, set the finding's triage status to ignore.

Ignore findings in Group by Rule view

To ignore findings in the Group by Rule view:

1. Go to Code > All, and ensure that your filters are set to display all Open findings.
2. Perform one of these steps:
   • To select all findings for the same rule, select the first checkbox on the finding's card, then click Triage > Ignored .
   • To select individual findings reported by a rule, fill in the checkboxes of the finding, and then click Triage > Ignored.
3. Select Ignore reason, and optionally, provide Comments to describe why the finding was ignored.
4. Click Submit.

Ignore findings in No grouping view

To ignore individual finding in the No grouping view, follow these steps:

1. Go to Code > All, and ensure that your filters are set to display all Open findings.
2. Select the checkbox next to a finding you want to ignore, and click Triage > Ignored.
3. Select Ignore reason, and optionally, provide Comments to describe why the finding was ignored.
4. Click Submit.

To ignore multiple findings in the No grouping view, follow these steps:

1. Go to Code > All, and ensure that your filters are set to display all Open findings.
2. Perform one of these steps:
   • Select all findings on the page displayed by clicking on the header row checkbox that states X matching findings. You can navigate to succeeding pages and add other results to the current selection.
   • Select all findings of interest by clicking on their checkboxes.
3. Click Triage > Ignored.
4. Select Ignore reason, and optionally, provide Comments to describe why the findings were ignored.
5. Click Submit.

Reopen findings

You can reopen a finding at any time, whether you previously marked it as ignored or Semgrep automatically marked it as provisionally ignored.

Reopen findings in Group by Rule view

To reopen findings in the Group by Rule view, follow these steps:

1. Go to Code > All, and ensure that your filters are set to display all Ignored, Provisionally Ignored, or Fixed findings.
2. Perform one of these steps:
   • To select all findings for the same rule, select the first checkbox on the finding's card, then click Triage > Open .
   • To select individual findings reported by a rule, fill in the checkboxes of the finding, and then click Triage > Open.
3. Optional: Write a reason to describe why the finding was reopened.
4. Click Submit.

Reopen findings in No grouping view

To reopen individual findings in the No grouping view, follow these steps:

1. Go to Code > All, and ensure that your filters are set to display all Ignored, Provisionally Ignored, or Fixed findings.
2. Select the checkbox next to a finding you want to reopen. Click Triage > Open.
3. Optional: Write a reason to describe why the finding was reopened.
4. Click Submit.

To reopen multiple findings in the No grouping view, follow these steps:

1. Go to Code > All, and ensure that your filters are set to display all Ignored, Provisionally Ignored, or Fixed findings.
2. Perform one of these steps:
   • Select all findings on the page displayed by clicking on the header row checkbox that states X matching findings. You can navigate to succeeding pages and add other results to the current selection.
   • Select all findings of interest by clicking on their checkboxes.
3. Click Triage > Open.
4. Optional: Write a reason to describe why the finding was reopened.
5. Click Submit.

Turn off a ruleset or a rule

You can turn off a specific rule or ruleset to prevent Semgrep Code from using it when scanning your codebase.

info

When you turn off a rule, existing findings from that rule remain open until you re-scan your code.

Disable rules and rulesets

To disable a rule:

1. Go to the Policies page and select either:
   • The top Number Matching Rules checkbox to select all rules.
   • Individual checkboxes next to a rule to turn off rules one by one.
2. Click (Number) Change modes, then click Disabled.

You can also set the state in the Mode column to Disabled for individual rules.

To turn off a ruleset using the Policies page:

1. Go to the Policies page, .
2. Use the Ruleset filter's drop-down box to find and click the ruleset to remove.
3. Click Matching rules.
4. Click Change modes > Disabled.

Triage findings through PR and MR comments

You can triage your Semgrep AppSec Platform findings displayed as comments in PRs and MRs by replying with another comment.

Before proceeding, ensure that you have:

• One or more repositories hosted by a Semgrep-supported source code manager (SCM).
• Configured PR or MR comments for your SCM.

To triage a finding:

1. Find an open comment created by Semgrep in your pull request or merge request.
2. In a subsequent comment, reply with the action you want to take. You must provide a reason to help the reader understand why the finding has been triaged as ignored:

Comment	Description
/fp <COMMENT>	Triage a finding as Ignored with the triage reason false positive. Provide a <COMMENT> with information about the triage decision.
/ar <COMMENT>	Triage a finding as Ignored with the triage reason acceptable risk. Provide a <COMMENT> with information about the triage decision.
/other <COMMENT>	Triage a finding as Ignored without specifying the reason; the triage reason value is set to No triage reason. Provide a <COMMENT> with information about the triage decision.
/open <REASON>	Reopen a finding that has been triaged as Ignored. Optionally, provide a <COMMENT> with information about the decision to reopen the finding.

Semgrep attempts to reply to your comment if it successfully triages the finding.

Triaging a finding as Ignored through a comment changes the status of the finding to Ignored in Semgrep AppSec Platform. However, the pull request or merge request conversation itself is not automatically resolved by this process.

Legacy commands

Semgrep supports older versions of this feature that used the following commands:

• /semgrep ignore <REASON> - triage a finding as Ignored.
• /semgrep open <REASON> - reopen a finding that has been triaged as Ignored.

Triage findings in bulk through the Semgrep API

Semgrep provides an API endpoint you can use to triage findings in bulk, either by passing a list of issue_ids or filter query parameters to select findings. You must also specify an issue_type, such as sast or sca, and either new_triage_state or new_note.

The available new_triage_state values you can set are:

• open
• reviewing
• fixing
• ignored
• fixed

If specifying a new_triage_reason, you must also use new_triage_state=ignored.

note

When retrieving findings through the API, you may also see the provisionally_ignored status. This status is automatically set by Semgrep and cannot be manually assigned through the bulk triage API.

Refer to Bulk triage API documentation for complete details.

---

Not finding what you need in this doc? Ask questions in our Community Slack group, or see Support for other ways to get help.