Skip to main content

Overview

Semgrep is a fast, open-source static analysis tool that finds bugs, vulnerabilities, and secrets in code. The Pwnbook Semgrep integration pulls scan findings from your Semgrep deployment into engagements, where you can triage, annotate, and track remediation alongside the rest of your pentest work.

Prerequisites

  • A Semgrep account (Semgrep Team or Enterprise)
  • A Semgrep API token with read access to your deployment
  • Your Semgrep deployment slug
  • Admin or Owner access in Pwnbook to configure the integration

Credentials required

FieldDescription
API TokenA Semgrep API token. Generate one at Semgrep Settings → Tokens. Needs scans:read scope.
Deployment SlugYour Semgrep organization/deployment identifier, visible in the Semgrep dashboard URL.

Setup

1

Generate a Semgrep API token

  1. Log in to semgrep.dev.
  2. Go to Settings → Tokens.
  3. Click Create new token.
  4. Give it a name (e.g., pwnbook-integration) and select the scans:read scope.
  5. Copy the token — you won’t be able to see it again.
2

Find your deployment slug

Your deployment slug appears in the URL when you’re in the Semgrep dashboard:
https://semgrep.dev/orgs/<your-deployment-slug>/...
Copy the slug portion.
3

Configure the integration in Pwnbook

  1. Go to Organization Settings → Marketplace → Semgrep.
  2. Click Configure.
  3. Enter your API Token and Deployment Slug.
  4. Click Save & Test to verify the credentials.
4

Configure per-repository sync settings

After connecting, Pwnbook loads a list of repositories from your Semgrep deployment.For each repository you want to sync findings from:
  1. Toggle Visible to show findings in Pwnbook.
  2. Toggle Sync Enabled to pull new findings automatically.
  3. (Optional) Add a Note to record context about this repository.
  4. Click Save.

What gets synced

Pwnbook pulls the following data from Semgrep:
DataDescription
SAST findingsCode vulnerabilities identified by Semgrep rules, with file path, line numbers, and column ranges
Secrets findingsExposed credentials, API keys, and tokens detected in code
Supply chain findingsVulnerable dependencies and packages
SeverityCritical, high, medium, low, informational
Rule metadataRule ID, message, CWE mappings, OWASP category
Remediation guidanceFix suggestions where available from Semgrep rules

Viewing findings in Pwnbook

Synced Semgrep findings appear in the engagement under Security Findings → Semgrep. From there you can:
  • Filter by severity, type, and repository
  • Add internal notes to individual findings
  • Link findings to tasks or threat model threats
  • Mark findings as resolved, acknowledged, or suppressed

Refreshing findings

Pwnbook caches findings from Semgrep. To pull the latest:
  1. Go to Organization Settings → Integrations → Semgrep.
  2. Click Refresh Findings.
You can also trigger a refresh from within an engagement’s findings view.

Disconnecting

To remove the Semgrep integration:
  1. Go to Organization Settings → Marketplace → Semgrep.
  2. Click Disconnect.
  3. Confirm the disconnection.
Previously synced findings remain in Pwnbook until manually deleted.