> ## Documentation Index
> Fetch the complete documentation index at: https://semgrep-ee9d73d8-mintlify-b75b9a88.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

# Core deployment

> Semgrep can be set up to scan repositories of any size.

Once added to Semgrep, a codebase, repository, or subfolder within a monorepo is referred to as a **project**.

**Deployment** refers to the process of integrating Semgrep into your developer and infrastructure workflows. Completing the deployment process provides you with the Semgrep features that meet your security program's needs.

Deployment includes:

* Running Semgrep scanners as part of your CI. These scans can be any combination of SAST (Static Application Security Testing), SCA (Software Composition Analysis), or Secrets, depending on your plan.
* Managing team members' access and authentication.
* Ensuring that Semgrep has sufficient access to your self-hosted source code manager (SCM), such as GitLab Self-Managed.

Semgrep does not require code access to complete the core deployment process. Your code is not sent anywhere.

<Tip>
  **ARE THESE GUIDES FOR YOU?**

  * These guides outline procedures for the deployment of Semgrep as part of a security program. To try out Semgrep, refer to the [<Icon icon="file-lines" iconType="regular" /> Quickstart](/getting-started/quickstart) document.
  * Individual users can also use these guides to deploy Semgrep as part of their personal security.
</Tip>

Many deployment features are set up through **Semgrep AppSec Platform**.

Deployment does **not** include:

* Customizing your SAST, SCA, or secrets scans
* Custom rule writing
* Triage

For these features, refer to the **Scan and Triage** section in the navigation bar.

### All Semgrep deployment features

Semgrep supports many different technology stacks. Refer to the following table to evaluate which deployment features of Semgrep you can use based on your technologies.

#### Core deployment

These are the absolute minimum Semgrep features for any deployment.

| Deployment feature                                                     | Notes                                                                                                                                                                                                                                                                                                                                                                                                                      |
| :--------------------------------------------------------------------- | :------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| SAST scanning                                                          | Check that Semgrep: <ul><li>Can scan your language and that the language's maturity matches your security needs. See <a href="/supported-languages"><Icon icon="file-lines" iconType="regular" /> Supported languages</a>.</li> <li>Provides rulesets that you can use out-of-the-box. See <a href="https://semgrep.dev/r/" target="_blank"><Icon icon="external-link" iconType="solid" /> Semgrep Registry</a>.</li></ul> |
| SCA scanning                                                           | Check that Semgrep either supports your manifest file or lockfile and package manager.                                                                                                                                                                                                                                                                                                                                     |
| Secrets scanning                                                       | Check that your services, such as Slack or Twilio, can be validated by Semgrep. Semgrep Secrets is available through Semgrep Sales, so you must <a href="https://get.semgrep.dev/Book-a-demo.html" target="_blank"><Icon icon="external-link" iconType="solid" /> Book a demo.</a>                                                                                                                                         |
| SSO                                                                    | Semgrep supports: <ul><li>OpenID Connect or OAuth 2</li> <li>SAML 2.0</li></ul>                                                                                                                                                                                                                                                                                                                                            |
| Organizations                                                          | Semgrep can connect to orgs from <strong>GitHub and GitLab</strong>. Connecting an org enables Semgrep AppSec Platform to authenticate new users from the same org easily.<br /><br />If you use <strong>Bitbucket or Azure Repos</strong>, you can use SSO to manage the authentication of your users, then add repositories for scanning through your CI provider.                                                       |
| Scanning remote repositories through CI                                | Semgrep fully supports many popular CI providers. See <a href="/deployment/add-semgrep-to-ci"><Icon icon="file-lines" iconType="regular" /> Add Semgrep to CI</a>.                                                                                                                                                                                                                                                         |
| Managed Scans: scanning remote repositories in bulk without CI changes | An alternative method of scanning many repositories with Semgrep that doesn't require integration with your CI. Requires read access to user-selected repositories. See <a href="/deployment/managed-scanning/overview"><Icon icon="file-lines" iconType="regular" /> Add repositories to Semgrep in bulk</a>.                                                                                                             |
| PR or MR comments                                                      | Semgrep can post PR or MR comments in the following SCMs: <ul><li>GitHub</li><li>GitLab</li><li>Bitbucket</li></ul>                                                                                                                                                                                                                                                                                                        |

#### Additional deployment features

Useful features that you can add based on your tech stack. You can integrate these features further into your security workflows after some initial testing of your core deployment.

| Deployment feature                 | Notes                                                                                                                                                                                      |
| :--------------------------------- | :----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Notifications                      | Semgrep can send notifications through the following channels:<ul><li>Slack</li> <li>Email</li><li>Webhooks</li></ul>                                                                      |
| AI-assisted triage and remediation | Semgrep can give AI-assisted recommendations on whether a finding is a true or false positive as well as suggest code fixes for true positive findings.                                    |
| IDE integration                    | Encourage developers to run Semgrep in their IDE. Officially supported extensions include: <ul> <li>Microsoft Visual Studio Code</li> <li>IntelliJ Ultimate IDEA</li> <li>Emacs</li> </ul> |
| API                                | Check that Semgrep's API meets your needs. See <a href="/api-reference/Introduction">API docs</a>.                                                                                         |

## Core deployment process

At the minimum, your deployment of Semgrep consists of the following steps:

<Steps>
  <Step title="Creating a Semgrep account.">
    Each user of Semgrep has one account.
  </Step>

  <Step title="Setting up organizations (orgs).">
    Each Semgrep account can have many orgs. Orgs are logical groupings of related projects and users.
  </Step>

  <Step title="Setting up membership:">
    * For GitHub or GitLab users, you can connect your Semgrep org to the orgs in your source code manager (SCM). This means that any member of an org in your SCM can sign in to your Semgrep deployment.
    * You can also use SSO to manage user authentication.
  </Step>

  <Step title="Adding Semgrep into your CI workflows.">
    This step ensures that your Semgrep deployment is up and running and that you receive **findings** of security issues in Semgrep AppSec Platform.
  </Step>

  <Step title="Enabling Semgrep to post PR or MR comments.">
    <Frame caption="Core deployment steps.">
      <img src="https://mintcdn.com/semgrep-ee9d73d8-mintlify-b75b9a88/-dR8Rmdn8vfoDZ7v/images/core-deployment-7c163d2788754757edf2b150a5fff4e6.png?fit=max&auto=format&n=-dR8Rmdn8vfoDZ7v&q=85&s=10269326d318a4eee574c7e9e4b71338" alt="Core deployment steps" width="1200" height="280" data-path="images/core-deployment-7c163d2788754757edf2b150a5fff4e6.png" />
    </Frame>
  </Step>
</Steps>

To manage a large volume of users and projects, you may need to perform additional steps:

* Role management
* Tagging projects

These steps are covered in the section [Deployment at scale](/category/deployment-at-scale).

Team size isn't necessarily indicative of deployment needs. Features for large teams can be deployed for smaller teams as well, and are available on the Semgrep Team Tier.

## Deploy Semgrep in phases

It is recommended to finish the core deployment of Semgrep to a few repositories or departments in your organization first before attempting to deploy to the majority.

This **initial phase** prepares you to deploy Semgrep to the rest of the organization. Organizational infrastructure can vary greatly and the initial deployment can help you identify and address issues so that they do not recur in a wider deployment.

## Next steps

Click **Next** to begin setting up your core deployment.
