Onboarding

Follow the steps below to onboard a user to our Semgrep Integration.

1

Create API token

Go to “Settings” -> “Tokens” -> “API Tokens” and click “Create new token”

2

Enable token scopes in popup

In the popup window enable following scopes

  • Agent CI
  • Web API

Record your API token secret somewhere safe. After the credential window is closed, the secret is no longer visible.
Click save and close the popup box

3

Enter Credentials

After creating the Web API token, Copy this into the Semgrep AppSec connector in its respective field.

Semgrep V1 (Issues) to V2 (Resources & Vulnerability Findings) Migration Guide – Migration Guide

Semgrep AppSec – Migration Guide

Legacy V1 IssuesV2 Vulnerability Findings & Resources

This document explains how to migrate data and code for the Semgrep connector (and, by extension, all AppSec vendors) from the legacy ScopedIssue data-model (V1) to the new ScopedVulnerabilityFindingV2 / ScopedResource models (V2).


Field-coverage & Replacement Matrix

Legend
✅ = direct or renamed field already present in V2
☑️ = moved into a nested object (e.g. vendor_attributes, resource_related, …)
🆕 = new column added to V2 schema
🚧 = still missing – add if customers rely on it

V1 ScopedIssue fieldRecommended V2 locationStatus
idid✅ (we reuse same UUID)
code_reporesource_related.affected_code.file_path or project/branch resource☑️
project_file_pathresource_related.affected_code.file_path☑️
repo_urlvendor_attributes.data.line_of_code_url (Semgrep)☑️
repo_branch_namecaptured in branch‐type ScopedResource☑️
vendorproduct.vendor_name☑️
vendor_idvendor_attributes.id☑️
nametitle
package_nameresource_related.affected_package.name☑️
package_versionresource_related.affected_package.version☑️
severityseverity
severity_rank (DB)derived from severity
platformresource_related.affected_platform☑️
package_managerresource_related.affected_package.package_manager☑️
publication_time— (redundant; use first_seen / CVE KB)
is_patchablehas_fix
typetype (CODE / DEPENDENCY / …)
descriptiondescription
vulnerability_identifiersvendor_attributes.vulnerability_identifiers☑️
cvss_score— (available via CVE KB)
statestate
first_seenfirst_seen
last_seenlast_seen
kb_url— (vendor & KB URLs already covered)
issue_urlvendor_attributes.url☑️
remediation (List[str])remediation (stringified)
vendor_datavendor_attributes.data☑️
state_updated_atstate_updated_at🆕
connection_idconnection_id
unique_hashunique_hash

Outstanding gaps (🚧): Currently none. All V1 data points are either mapped, intentionally dropped (➖), or available via Knowledge-Base relations.