Other SCM permissionsThis page covers code read and write access only. For PR or MR comments, GitHub App installation, sign-in scopes, and other requirements, see SCM permissions.
| SCM | Read access scope | Write access scope |
|---|---|---|
| Azure DevOps | Code (read) | Code (read and write) |
| Bitbucket Cloud | repository:readpullrequest:read | repository:writepullrequest:write |
| Bitbucket Data Center | repository:read | repository:write |
| GitHub.com and GitHub Enterprise Server | contents:read | contents:write |
| GitLab and GitLab Self-Managed | read_repository | write_repository |
Grant code access to Semgrep with a private GitHub app
If you are an existing Semgrep user and your private Semgrep GitHub app does not have code access enabled, follow these steps to update the app and grant code access to Semgrep. GitHub grants code access through Repository permissions > Contents under Developer Settings. The installation page at Settings > Applications might list read/write permissions but those do not enable file access.In GitHub, navigate to Settings > Developer Settings. You should see your Semgrep App listed in the GitHub Apps tab. GitHub Enterprise Server users must replace the
https://github.com base URL with the base URL of their GitHub Enterprise Server instance.Click the drop-down menu and select Read and write. Read and write is required for Autofix PRs. If you only need Semgrep to read repository contents, select Read instead.
Navigate back to the main GitHub Settings page. One way to do so is by clicking Settings in GitHub’s website breadcrumbs.
In the Applications tab, locate the Semgrep app under the Installed GitHub Apps tab.
Grant code access to Semgrep for token-based SCM connections
If you onboarded your repositories using an access token, follow these steps to grant code access to Semgrep.- Azure DevOps Cloud
- Bitbucket Cloud
- Bitbucket Data Center
- GitHub
- GitLab
Before creating or updating the Azure DevOps PAT, ensure that the account used to create the token has access to the Azure DevOps projects and repositories Semgrep scans.A PAT can only grant access that the account already has. Microsoft requires at least Basic access for accounts that contribute to code. To create Autofix PRs, the account must also be able to read repository contents, create branches, push commits, and create PRs at the repository level.Grant the account repository access using one of the following options.Once saved, Semgrep has code access to your Azure DevOps repositories.
Grant project and repository access
In Azure DevOps, navigate to your organization:
https://dev.azure.com/ORGANIZATION_NAMEFind the account used for your Semgrep Azure DevOps connection. If the account is not listed, click Add users and add the account to the organization.
Set the account’s Access level to Basic. Stakeholder access does not allow code contribution in private projects.
Option 1: Add the account to the Project Contributors group
Use this option to grant the account standard contributor access across the project.Option 2: Grant access to specific repositories
Use this option to restrict Semgrep access to specific repositories.Branch-specific permissionsBranch permissions can override repository permissions. If the target repository uses branch-specific permissions, confirm that the Semgrep account is not denied access on the target branch. The account must be able to contribute to branches it creates and create PRs into the repository’s default branch.
Create and configure an access token
Navigate to the Azure DevOps access token settings page:
https://dev.azure.com/ORGANIZATION_NAME/_usersSettings/tokens.Assign the Code (read and write) scope to the token. This scope includes read access and the ability to create and manage PRs. For read-only code access, assign Code (read) instead.Also assign any other scopes your deployment needs, such as those listed in the Autofix row of SCM permissions.
Return to Semgrep AppSec Platform, and go to Settings > Source code managers.