We use Semgrep OSS as a static analysis tool to analyze the code in the sourcegraph/sourcegraph , sourcegraph/jetbrains and sourcegraph/cody repository for security vulnerabilities and bad patterns. We have published playbook below separately to resolve issues, false positives.

• Developer playbook
• Security engineer playbook
• Operational playbook

For Sourcegraph engineers

For resolving Semgrep SAST alerts

Semgrep Developer playbook is well documented handling any situation that developer faces. Any Semgrep issues should be visible to you via the output of the Semgrep OSS / Code Analysis GitHub check and as Github Comments.

If the offending commit has to be landed as part of resolving an incident,

• Check the Developer Playbook to resolve semgrep alert through source code comments.
• (or) find an admin for the repository (for whom branch protection rules will not apply) to merge the code in for you.

For Semgrep SAST Stuck issues

This rarely happens (less than 0.5%), but if it does, please follow the steps below:

• Ensure your branch is up to date with the main or default branch. If not please rebase your branch.
• If the issue is still not resolved, please reach out to the Security team in #discuss-security.
• (or) find an admin for the repository (for whom branch protection rules will not apply) to merge the code in for you.

If you're not still clear on how to resolve an issue raised by Semgrep, please reach out to the Security team in #discuss-security.

For Security engineers

Semgrep Architecture and Deployment

Semgrep OSS SAST scan supports both Buildkite, Github Action. For detailed architecture (flow diagram) and deployment check the documentation here.

Security Engineer Playbook