Instructions on how to onboard a Semgrep Integration
Follow the steps below to onboard a user to our Semgrep Integration.
Create API token
Go to “Settings” -> “Tokens” -> “API Tokens” and click “Create new token”
Enable token scopes in popup
In the popup window enable following scopes
Enter Credentials
After creating the Web API token, Copy this into the Semgrep AppSec connector in its respective field.
This document explains how to migrate data and code for the Semgrep connector (and, by extension, all AppSec vendors) from the legacy ScopedIssue
data-model (V1) to the new ScopedVulnerabilityFindingV2
/ ScopedResource
models (V2).
Legend
✅ = direct or renamed field already present in V2
☑️ = moved into a nested object (e.g. vendor_attributes
, resource_related
, …)
🆕 = new column added to V2 schema
🚧 = still missing – add if customers rely on it
V1 ScopedIssue field | Recommended V2 location | Status |
---|---|---|
id | id | ✅ (we reuse same UUID) |
code_repo | resource_related.affected_code.file_path or project/branch resource | ☑️ |
project_file_path | resource_related.affected_code.file_path | ☑️ |
repo_url | vendor_attributes.data.line_of_code_url (Semgrep) | ☑️ |
repo_branch_name | captured in branch‐type ScopedResource | ☑️ |
vendor | product.vendor_name | ☑️ |
vendor_id | vendor_attributes.id | ☑️ |
name | title | ✅ |
package_name | resource_related.affected_package.name | ☑️ |
package_version | resource_related.affected_package.version | ☑️ |
severity | severity | ✅ |
severity_rank (DB) | derived from severity | ✅ |
platform | resource_related.affected_platform | ☑️ |
package_manager | resource_related.affected_package.package_manager | ☑️ |
publication_time | — (redundant; use first_seen / CVE KB) | ➖ |
is_patchable | has_fix | ✅ |
type | type (CODE / DEPENDENCY / …) | ✅ |
description | description | ✅ |
vulnerability_identifiers | vendor_attributes.vulnerability_identifiers | ☑️ |
cvss_score | — (available via CVE KB) | ➖ |
state | state | ✅ |
first_seen | first_seen | ✅ |
last_seen | last_seen | ✅ |
kb_url | — (vendor & KB URLs already covered) | ➖ |
issue_url | vendor_attributes.url | ☑️ |
remediation (List[str]) | remediation (stringified) | ✅ |
vendor_data | vendor_attributes.data | ☑️ |
state_updated_at | state_updated_at | 🆕 |
connection_id | connection_id | ✅ |
unique_hash | unique_hash | ✅ |
Outstanding gaps (🚧): Currently none. All V1 data points are either mapped, intentionally dropped (➖), or available via Knowledge-Base relations.