• Deployment
• Semgrep Multimodal

Enable Semgrep Multimodal

Semgrep Multimodal extends standard Semgrep capabilities by providing contextually aware AI-powered vulnerability detection and remediation suggestions.

This article walks you through enabling Semgrep Multimodal for your deployment.

Prerequisites

• You have completed a Semgrep core deployment.
• You have set rules to Comment or Block mode in your Policies page.

Azure DevOps Cloud

Building context for Semgrep Multimodal requires Azure DevOps permissions, specifically code access granted through an access token you generate through Azure DevOps. Ensure that the token has the following scopes:

• Code: Read & write
• Pull Request Threads: Read & write

You can provide this token to Semgrep by adding Azure DevOps as a source code manager.

Semgrep recommends using a service account, not a personal account, to generate the personal access token provided to Semgrep. Regardless of whether you use a personal or service account, the account must be assigned the Owner or Project Collection Administrator role for the organization.

Enable Multimodal

1. Sign in to Semgrep AppSec Platform.
2. Go to Settings > Global, and click the Semgrep Multimodal toggle to enable.
3. The Set up Semgrep Multimodal dialog appears. Click Accept & Enable Semgrep Multimodal to proceed.

After enabling Semgrep Multimodal, you can configure the AI provider and enable additional features:

• Scan with AI-powered detection: Run AI-powered scans to identify complex business logic flaws, such as insecure direct object references (IDORs) and broken authorization issues. Enabling Semgrep Multimodal does not automatically run AI-powered scans.
• Weekly priority emails: Send weekly summary emails to organization admins highlighting the top three backlog priorities across all findings.
• Noise filter for Code PR/MR comments: Filter out findings identified as false positives. You can choose to suppress PR or MR comments entirely or display informational comments indicating that a finding is a false positive.
• Suggested fix: Enable Multimodal-generated autofix suggestions in PR and MR comments. You can also set a minimum confidence threshold for AI-generated fixes when a rule does not include a human-authored autofix.

Bitbucket Cloud

Building context for Semgrep Multimodal requires additional Bitbucket permissions, specifically code access granted through an access token you generate through Bitbucket. Your token must be a Workspace Access Token, which are available to users with a Bitbucket Cloud Premium plan or higher. The token must have the following scopes:

• Projects: Read
• Repositories: Read
• Pull requests: Read & Write
• Webhooks: Read and write

You can provide this token to Semgrep by adding Bitbucket as a source code manager.

Enable Multimodal

1. Sign in to Semgrep AppSec Platform.
2. Go to Settings > Global, and click the Semgrep Multimodal toggle to enable.
3. The Set up Semgrep Multimodal dialog appears. Click Accept & Enable Semgrep Multimodal to proceed.

After enabling Semgrep Multimodal, you can configure the AI provider and enable additional features:

• Scan with AI-powered detection: Run AI-powered scans to identify complex business logic flaws, such as insecure direct object references (IDORs) and broken authorization issues. Enabling Semgrep Multimodal does not automatically run AI-powered scans.
• Weekly priority emails: Send weekly summary emails to organization admins highlighting the top three backlog priorities across all findings.
• Noise filter for Code PR/MR comments: Filter out findings identified as false positives. You can choose to suppress PR or MR comments entirely or display informational comments indicating that a finding is a false positive.
• Suggested fix: Enable Multimodal-generated autofix suggestions in PR and MR comments. You can also set a minimum confidence threshold for AI-generated fixes when a rule does not include a human-authored autofix.

GitHub

In addition to the standard permissions required for Semgrep, Semgrep Multimodal requires read access to your code in GitHub. This is done through a private Semgrep GitHub app that you install.

The private Semgrep GitHub app:

• Is fully under your control so you can revoke access or specific permissions at any time by visiting Settings > Applications in GitHub.
• Only accesses source code repositories on a file-by-file basis; it does not need or request org-level access to your codebase.
• Can be configured to limit its scope to specific repositories. You do not need to give read access to all repositories in your GitHub organization.

To verify that you have the private app installed:

1. In Semgrep AppSec Platform, go to Settings > Source Code Managers.
2. Find the entry for GitHub. If you have the Private app installed, Semgrep displays a message underneath this label that reads Enables Autotriage, Managed Scans, and Auto-scan.
3. If you don't have the Private app installed, the Install button is shown to you. To install the private app:
   1. Click Install to launch the Add GitHub App page.
   2. Review the information provided, and click Register GitHub App to proceed.
   3. The Continue to SCM dialog appears, since you must finish installing the app with GitHub. Click Continue to proceed.
   4. Follow the prompts provided by GitHub to finish creating the app.
   5. When done, GitHub redirects you back to Semgrep AppSec Platform.

Enable Multimodal

1. Sign in to Semgrep AppSec Platform.
2. Go to Settings > Global, and click the Semgrep Multimodal toggle to enable.
3. The Set up Semgrep Multimodal dialog appears. Click Accept & Enable Semgrep Multimodal to proceed.

After enabling Semgrep Multimodal, you can configure the AI provider and enable additional features:

• Scan with AI-powered detection: Run AI-powered scans to identify complex business logic flaws, such as insecure direct object references (IDORs) and broken authorization issues. Enabling Semgrep Multimodal does not automatically run AI-powered scans.
• Weekly priority emails: Send weekly summary emails to organization admins highlighting the top three backlog priorities across all findings.
• Autofix PR: Automatically create AI-generated pull requests (PRs) to remediate findings.
• Noise filter for Code PR/MR comments: Filter out findings identified as false positives. You can choose to suppress PR or MR comments entirely or display informational comments indicating that a finding is a false positive.
• Suggested fix: Enable Multimodal-generated autofix suggestions in PR and MR comments. You can also set a minimum confidence threshold for AI-generated fixes when a rule does not include a human-authored autofix.
• Upgrade Guidance & Autofix: Analyze dependency upgrades for potential breaking changes. When enabled, Semgrep displays indicators for safe upgrades and potential breaking changes in Supply Chain findings.

GitLab

To build context for Semgrep Multimodal, you must provide either a project access token or personal access token with the API scope.

• You can revoke project access tokens or personal access tokens at any time.
• Semgrep Multimodal only accesses source code repositories (projects) on a file-by-file basis; it does not need or request org-level access to your codebase.
• The token can be configured to limit its scope to specific projects or individuals. You do not need to give read access to all projects in your GitLab organization.

Enable Multimodal

1. Sign in to Semgrep AppSec Platform using your GitLab account.
2. Go to Settings > Global, and click the Semgrep Multimodal toggle to enable.
3. The Set up Semgrep Multimodal dialog appears. Click Accept & Enable Semgrep Multimodal to proceed.

After enabling Semgrep Multimodal, you can configure the AI provider and enable additional features:

• Scan with AI-powered detection: Run AI-powered scans to identify complex business logic flaws, such as insecure direct object references (IDORs) and broken authorization issues. Enabling Semgrep Multimodal does not automatically run AI-powered scans.
• Weekly priority emails: Send weekly summary emails to organization admins highlighting the top three backlog priorities across all findings.
• Autofix PR: Automatically create AI-generated pull requests (PRs) to remediate findings.
• Noise filter for Code PR/MR comments: Filter out findings identified as false positives. You can choose to suppress PR or MR comments entirely or display informational comments indicating that a finding is a false positive.
• Suggested fix: Enable Multimodal-generated autofix suggestions in PR and MR comments. You can also set a minimum confidence threshold for AI-generated fixes when a rule does not include a human-authored autofix.
• Upgrade Guidance & Autofix: Analyze dependency upgrades for potential breaking changes. When enabled, Semgrep displays indicators for safe upgrades and potential breaking changes in Supply Chain findings.

---

Not finding what you need in this doc? Ask questions in our Community Slack group, or see Support for other ways to get help.