[TEC-468] Semgrep Assistant: document which findings are automatically analyzed #2414
Conversation
✅ Don't forget to add
|
| Name | Link |
|---|---|
| 🔨 Latest commit | ccfcc73 |
| 🔍 Latest deploy log | https://app.netlify.com/projects/semgrep-docs-prod/deploys/692f2353c5b19a000891e5bf |
| 😎 Deploy Preview | https://deploy-preview-2414--semgrep-docs-prod.netlify.app |
| 📱 Preview on mobile | Toggle QR Code...Use your smartphone camera to open QR code link. |
To edit notification comments on pull requests, go to your Netlify project configuration.
armchairlinguist
left a comment
armchairlinguist
left a comment
There was a problem hiding this comment.
The correct logic of:
High and Critical severity AND High and Medium Confidence
is the main thing that needs to be fixed here (the rest of my notes are just opinions). It's not an OR thing. It must have one of those two severities AND one of those two confidence levels to be automatically analyzed.
docs/semgrep-assistant/analyze.md
Outdated
|
|
||
| Assistant will automatically generate an analysis for any new finding on a **full scan** that is: | ||
| - Critical or High severity, or | ||
| - High or Medium confidence. |
docs/semgrep-assistant/analyze.md
Outdated
| - Updated findings: Findings that are updates to existing issues rather than new findings | ||
| - Duplicate findings: Findings that are duplicates of existing findings |
There was a problem hiding this comment.
I'm not really sure what this is supposed to indicate, would recommend just leaving these off as they are potentially inaccurate / would only add confusion.
docs/semgrep-assistant/analyze.md
Outdated
| * In Semgrep AppSec Platform: the Assistant recommendation appears in Semgrep Code's **Finding Details** page under **Activity**, along with **Agree and ignore** or **Disagree** buttons. | ||
| * In Slack notifications: the **Agree** and **Disagree** buttons appear under the Assistant recommendation message. | ||
| * In GitHub pull requests: you can leave feedback using `/semgrep assistant agree|disagree`. | ||
| * In GitHub PRs: you can leave feedback using `/semgrep assistant agree|disagree`. |
There was a problem hiding this comment.
I'm not sure you actually can anymore? Maybe worth checking with the Assistant team.
There was a problem hiding this comment.
Confirmed that this was removed
docs/semgrep-assistant/overview.md
Outdated
| - Requires the Semgrep AppSec Platform for its use | ||
| - Auto-analyzes many but not all findings during scans | ||
| - For full scans, all *new* issues that are either: | ||
| - High or Critical severity, or |
docs/semgrep-assistant/overview.md
Outdated
| #### Guidance | ||
|
|
||
| With Assistant enabled, every PR or MR comment Semgrep pushes includes remediation guidance with information on fixing the issue. Assistant's remediation guidance provides step-by-step instructions on how to remediate the finding identified by Semgrep Code. | ||
| With Assistant enabled, PR or MR comments from Semgrep include step-by-step instructions for remedying the finding identified by Semgrep Code. |
There was a problem hiding this comment.
I like the shortening overall, but I do wonder about "remedying". "Remediation" seems to be the term of art in security. Would run this by the Assistant folks or our internal practitioners.
|
|
||
| ## Request analysis for existing findings | ||
|
|
||
| If you want Assistant analyses for findings that weren't automatically analyzed (as described above), you can request them in bulk through Semgrep AppSec Platform. |
There was a problem hiding this comment.
| If you want Assistant analyses for findings that weren't automatically analyzed (as described above), you can request them in bulk through Semgrep AppSec Platform. | |
| If you want Assistant analyses for findings that weren't automatically analyzed, as described above, you can request them in bulk through Semgrep AppSec Platform. |
Can you clarify what request means? Does the user have to click something or is it something they have to contact us for?
Co-authored-by: Katie Horne <katie.horne@semgrep.com>
Co-authored-by: Katie Horne <katie.horne@semgrep.com>
Co-authored-by: Katie Horne <katie.horne@semgrep.com>
Co-authored-by: Katie Horne <katie.horne@semgrep.com>
Co-authored-by: Katie Horne <katie.horne@semgrep.com>
Co-authored-by: Katie Horne <katie.horne@semgrep.com>
Co-authored-by: Katie Horne <katie.horne@semgrep.com>
Preview
Analyze