From c2e6fbeea715a149381fb55a1fcc45800ab3f66e Mon Sep 17 00:00:00 2001 From: Sheethala Date: Mon, 24 Nov 2025 17:12:12 -0500 Subject: [PATCH] adding docs for provisionally ignored --- docs/semgrep-ci/findings-ci.md | 3 ++- docs/semgrep-code/triage-remediation.md | 27 ++++++++++++++++----- docs/semgrep-secrets/getting-started.md | 2 ++ docs/semgrep-supply-chain/view-export.md | 1 + src/components/reference/_triage-states.mdx | 2 +- 5 files changed, 27 insertions(+), 8 deletions(-) diff --git a/docs/semgrep-ci/findings-ci.md b/docs/semgrep-ci/findings-ci.md index c338971857..45bc3c8bd0 100644 --- a/docs/semgrep-ci/findings-ci.md +++ b/docs/semgrep-ci/findings-ci.md @@ -26,13 +26,14 @@ These states correspond to: ## Semgrep Code findings -Semgrep AppSec Platform builds on CI findings to track status and provide additional context for managing findings within your organization. A finding can be one of four statuses in Semgrep AppSec Platform: +Semgrep AppSec Platform builds on CI findings to track status and provide additional context for managing findings within your organization. A finding can be one of the following statuses in Semgrep AppSec Platform: * `OPEN` * `REVIEWING` * `FIXING` * `IGNORED` * `FIXED` +* `PROVISIONALLY_IGNORED` ### Finding status diff --git a/docs/semgrep-code/triage-remediation.md b/docs/semgrep-code/triage-remediation.md index 65b67ca329..b5036e7ddf 100644 --- a/docs/semgrep-code/triage-remediation.md +++ b/docs/semgrep-code/triage-remediation.md @@ -40,7 +40,7 @@ Semgrep Assistant can also [auto-triage findings](/semgrep-assistant/overview#au **Triage** is the prioritization of a finding based on policies or criteria set by your team or organization, such as severity, coding standards, business goals, and product goals. -Semgrep AppSec Platform uses the logic specified in the table below to automatically mark findings as either fixed or removed when a finding is no longer present in the code. You can also manually ignore findings in Semgrep AppSec Platform directly through **triage** or **bulk triage**. +Semgrep AppSec Platform uses the logic specified in the table below to automatically mark findings as either fixed or removed when a finding is no longer present in the code. You can also manually ignore findings in Semgrep AppSec Platform directly through **triage** or **bulk triage**. Additionally, Semgrep can automatically mark findings as **provisionally ignored** based on AI analysis, validation results, and reachability analysis. The triage statuses are as follows: @@ -107,14 +107,14 @@ To **ignore multiple findings** in the **No grouping** view, follow these steps: ### Reopen findings -You can **reopen** a finding that you previously marked as **ignore** at any time. +You can **reopen** a finding at any time, whether you previously marked it as **ignored** or Semgrep automatically marked it as **provisionally ignored**.
Reopen findings in Group by Rule view To **reopen findings** in the **Group by Rule** view, follow these steps: -1. On the [Findings](https://semgrep.dev/orgs/-/findings?tab=open) page, click the **Status** filter, and then select the **Ignored** or **Fixed** status to see all ignored or fixed findings. +1. On the [Findings](https://semgrep.dev/orgs/-/findings?tab=open) page, click the **Status** filter, and then select the **Ignored**, **Provisionally Ignored**, or **Fixed** status to see all ignored, provisionally ignored, or fixed findings. 2. Perform one of these steps: - To select more findings from the same rule, click the **Triage** button on the card of the finding. - To select individual findings reported by a rule, fill in the checkboxes for the finding, and then click the **Triage** button on the finding card. @@ -128,14 +128,14 @@ To **reopen findings** in the **Group by Rule** view, follow these steps: To **reopen individual findings** in the No grouping view, follow these steps: -1. On the [Findings](https://semgrep.dev/orgs/-/findings?tab=open) page, click the **Status** filter, and then select **Ignored** or **Fixed** status to see all ignored or fixed findings. +1. On the [Findings](https://semgrep.dev/orgs/-/findings?tab=open) page, click the **Status** filter, and then select **Ignored**, **Provisionally Ignored**, or **Fixed** status to see all ignored, provisionally ignored, or fixed findings. 2. Next to a finding you want to ignore, click the **Reopen** . 3. Optional: Add a note. 4. Click **Save**. To **reopen multiple findings** in the **No grouping** view, follow these steps: -1. On the [Findings](https://semgrep.dev/orgs/-/findings?tab=open) page, click the **Status** filter, and then select the **Ignored** or **Fixed** status to see all ignored or fixed findings. +1. On the [Findings](https://semgrep.dev/orgs/-/findings?tab=open) page, click the **Status** filter, and then select the **Ignored**, **Provisionally Ignored**, or **Fixed** status to see all ignored, provisionally ignored, or fixed findings. 1. Perform one of these steps: - Select all findings by clicking on the header row checkbox that states **Showing X open findings**. You can navigate to succeeding pages and add other results to the current selection. - Select relevant findings one by one by clicking on their checkboxes. @@ -172,7 +172,22 @@ Semgrep supports older versions of this feature that used the following commands ## Triage findings in bulk through the Semgrep API -Semgrep provides an API endpoint you can use to triage findings in bulk, either by passing a list of `issue_ids` or filter query parameters to select findings. You must also specify an `issue_type`, such as `sast` or `sca`, and either `new_triage_state` or `new_note`. Refer to [ Bulk triage API documentation](https://semgrep.dev/api/v1/docs/#tag/TriageService). +Semgrep provides an API endpoint you can use to triage findings in bulk, either by passing a list of `issue_ids` or filter query parameters to select findings. You must also specify an `issue_type`, such as `sast` or `sca`, and either `new_triage_state` or `new_note`. + +The available `new_triage_state` values you can set are: +- `open` +- `reviewing` +- `fixing` +- `ignored` +- `fixed` + +If specifying a `new_triage_reason`, you must also use `new_triage_state=ignored`. + +:::note +When retrieving findings through the API, you may also see the `provisionally_ignored` status. This status is automatically set by Semgrep and cannot be manually assigned through the bulk triage API. +::: + +Refer to [ Bulk triage API documentation](https://semgrep.dev/api/v1/docs/#tag/TriageService) for complete details. ## Reduce the number of false positive findings diff --git a/docs/semgrep-secrets/getting-started.md b/docs/semgrep-secrets/getting-started.md index 478fb3c20a..229bf624f9 100644 --- a/docs/semgrep-secrets/getting-started.md +++ b/docs/semgrep-secrets/getting-started.md @@ -116,6 +116,8 @@ Use filters to narrow down your results. The following criteria are available fo | **Open** | Findings are open by default. A finding is open if it was present the last time Semgrep scanned the code and it has not been ignored. An open finding represents a match between the code and a rule that is enabled in the repository. Open findings require action, such as rewriting the code to eliminate the detected vulnerability. | | **Ignored** | Findings that are ignored are present in the code, but have been labeled as unimportant. Ignore findings that are false positives or deprioritized issues. You can filter findings with a status of **Ignored** further by reason: **False positive**, **Acceptable risk**, **No time to fix**, or **No triage reason**. | | **Fixed** | Fixed findings were detected in a previous scan, but are no longer detected in the most recent scan of that same branch due to changes in the code. | +| **Provisionally Ignored** | Findings that contain invalid secrets which have been automatically ignored by Semgrep. These findings can be reviewed and reopened if needed. | + #### Severity diff --git a/docs/semgrep-supply-chain/view-export.md b/docs/semgrep-supply-chain/view-export.md index ba77f31e31..6dbac19142 100644 --- a/docs/semgrep-supply-chain/view-export.md +++ b/docs/semgrep-supply-chain/view-export.md @@ -89,6 +89,7 @@ The triage state of the finding: * **Fixing**: Findings for which you have decided to fix. Commonly used to indicate that these findings are tracked in Jira or assigned to developers for further work. * **Ignored**: Vulnerabilities that have been triaged as **Ignored** by the user. You can filter findings with a status of **Ignored** further by reason: **False positive**, **Acceptable risk**, **No time to fix**, or **No triage reason**. * **Fixed**: Vulnerabilities that are no longer detected after a scan. This typically means that the dependency containing the vulnerability has been updated. Semgrep Supply Chain automatically checks if the dependency has been updated and sets the vulnerability's status as **Fixed**. +* **Provisionally Ignored**: Findings that contain unreachable supply chain vulnerabilities which have been automatically ignored by Semgrep. These findings can be reviewed and reopened if needed. > You can set the **Fixing** and **Reviewing** statuses only if you are a [Jira beta](https://semgrep.dev/docs/semgrep-appsec-platform/jira) participant. diff --git a/src/components/reference/_triage-states.mdx b/src/components/reference/_triage-states.mdx index 6d51624afd..e0a9013ee7 100644 --- a/src/components/reference/_triage-states.mdx +++ b/src/components/reference/_triage-states.mdx @@ -5,7 +5,7 @@ | **Fixing** | Findings for which you have decided to fix. Commonly used to indicate that these findings are tracked in Jira or assigned to developers for further work. | | **Fixed** | Fixed findings were detected in a previous scan but are no longer detected in the most recent scan of that same branch due to changes in the code. | | **Ignored** | Findings that are ignored are present in the code but have been labeled as unimportant. Ignore findings that are false positives or deprioritized issues. Mark findings as [ignored through Semgrep AppSec Platform](/semgrep-code/triage-remediation) or by adding a [nosemgrep code comment](/ignoring-files-folders-code/#reference-summary). You can also provide a reason for why you are ignoring a finding: **False positive**, **Acceptable risk**, **No time to fix**. | - +| **Provisionally Ignored** | Findings that have been automatically ignored by Semgrep based on AI analysis. This includes findings identified as false positives by Assistant auto-triage, invalid secrets, and unreachable supply chain vulnerabilities. These findings can be reviewed and reopened if needed. | ### Removed findings Findings can also be **removed**. Semgrep considers a finding removed if it is not found in the most recent scan of the branch where Semgrep initially detected it due to any of the following conditions: