Semgrep

Application Security

Overview
Setup
Data & mappings
Operations & API
Changelog

Data retrieved from Semgrep

Connector Object	Required	Maps to Data Model
CodeProject	Yes	Code Project
StaticCodeFinding	Yes	Static Code Finding
StaticCodeFindingDefinition	Yes	Static Code Finding Definition
OpenSourceFinding	Yes	Open Source Finding
OpenSourceFindingDefinition	Yes	Open Source Finding Definition

Model relationships

note

For detailed steps on how to view the data retrieved from Semgrep in the Brinqa Platform, see How to view your data.

Connection settings

When setting up a data integration, select Semgrep from the Connector dropdown and provide the following:

Setting	Required	Default	Description
API URL	No	`https://semgrep.dev`	Semgrep API URL
Access Token	Yes	—	Semgrep API access token
Parallel requests	No	`min(4, available processors)`	Maximum number of parallel API requests
Max retries	No	`10`	Specifies the maximum number of retries permitted during a request. The default value is 10.

How to obtain Semgrep credentials

[Add connector-specific credential steps. Templated placeholder — review before publish.]

Attribute mappings

Expand the sections below to view the mappings between the source and the Brinqa data model attributes:

CodeProject

Source Field Name	SDM Attribute
Generated (always `"active"`)	STATUS
Generated (always `"code repository"`)	CATEGORIES
Generated (sync timestamp)	LAST_CAPTURED
`Project.created_at`	SOURCE_CREATED_DATE
`Project.default_branch`	DEFAULT_BRANCH
`Project.id`	PROJECT_ID
`Project.latest_scan_at`	LAST_SCANNED
`Project.name`	UID
`Project.name`	NAME
`Project.primary_branch`	PRIMARY_BRANCH
`Project.tags`	TAGS
`Project.url`	URL

StaticCodeFinding

Source Field Name	SDM Attribute
Generated (sync timestamp)	LAST_CAPTURED
`SastFinding.assistant.autofix.explanation`	ASSISTANT_AUTOFIX_EXPLANATION
`SastFinding.assistant.autofix.fix_code`	ASSISTANT_AUTOFIX_CODE
`SastFinding.assistant.autotriage.reason`	ASSISTANT_AUTOTRIAGE_REASON
`SastFinding.assistant.autotriage.verdict`	ASSISTANT_AUTOTRIAGE_VERDICT
`SastFinding.assistant.component.risk`	ASSISTANT_COMPONENT_RISK
`SastFinding.assistant.component.tag`	ASSISTANT_COMPONENT_TAG
`SastFinding.assistant.guidance.instructions`	ASSISTANT_GUIDANCE_INSTRUCTIONS
`SastFinding.assistant.guidance.summary`	ASSISTANT_GUIDANCE_SUMMARY
`SastFinding.assistant.rule_explanation.explanation`	ASSISTANT_RULE_EXPLANATION
`SastFinding.assistant.rule_explanation.summary`	ASSISTANT_RULE_EXPLANATION_SUMMARY
`SastFinding.click_to_fix_failures[].created_at`	CLICK_TO_FIX_FAILURE_DATES
`SastFinding.click_to_fix_failures[].reason`	CLICK_TO_FIX_FAILURE_REASONS
`SastFinding.click_to_fix_prs[].created_at`	CLICK_TO_FIX_PR_DATES
`SastFinding.click_to_fix_prs[].url`	CLICK_TO_FIX_PR_URLS
`SastFinding.confidence`	CONFIDENCE
`SastFinding.created_at`	CREATED_AT
`SastFinding.external_ticket.external_slug`	EXTERNAL_TICKET_SLUG
`SastFinding.external_ticket.id`	EXTERNAL_TICKET_ID
`SastFinding.external_ticket.linked_issue_ids`	EXTERNAL_TICKET_LINKED_IDS
`SastFinding.external_ticket.url`	EXTERNAL_TICKET_URL
`SastFinding.first_seen_scan_id`	FIRST_SEEN_SCAN_ID
`SastFinding.id`	UID
`SastFinding.line_of_code_url`	LINE_OF_CODE_URL
`SastFinding.location`	PATH
`SastFinding.location.column`	START_COLUMN
`SastFinding.location.end_column`	END_COLUMN
`SastFinding.location.end_line`	END_LINE
`SastFinding.location.line`	START_LINE
`SastFinding.match_based_id`	MATCH_BASED_ID
`SastFinding.ref`	SOURCE_REF
`SastFinding.relevant_since`	FIRST_FOUND
`SastFinding.repository.name`	TARGETS
`SastFinding.repository.url`	REPOSITORY_URL
`SastFinding.review_comments[].external_discussion_id`	REVIEW_COMMENT_DISCUSSION_IDS
`SastFinding.review_comments[].external_note_id`	REVIEW_COMMENT_NOTE_IDS
`SastFinding.rule.message`	RULE_MESSAGE
`SastFinding.rule.name`	TYPE
`SastFinding.rule_name`	RULE_NAME
`SastFinding.sourcing_policy`	SOURCING_POLICY
`SastFinding.state`	STATE
`SastFinding.state_updated_at`	STATE_UPDATED_AT
`SastFinding.status`	PROVIDER_STATUS
`SastFinding.status`	SOURCE_STATUS
`SastFinding.syntactic_id`	SYNTACTIC_ID
`SastFinding.triage_comment`	TRIAGED_COMMENT
`SastFinding.triage_reason`	TRIAGE_REASON
`SastFinding.triage_state`	TRIAGE_STATE
`SastFinding.triaged_at`	TRIAGED_AT
`SastFinding.triaged_at`	LAST_FIXED

StaticCodeFindingDefinition

Source Field Name	SDM Attribute
Generated (sync timestamp)	LAST_CAPTURED
`SastFinding.rule.category`	CATEGORIES
`SastFinding.rule.category`	RULE_CATEGORY
`SastFinding.rule.confidence`	RULE_CONFIDENCE
`SastFinding.rule.cwe_names`	CWE_IDS
`SastFinding.rule.cwe_names`	WEAKNESSES
`SastFinding.rule.message`	DESCRIPTION
`SastFinding.rule.message`	RECOMMENDATION
`SastFinding.rule.name`	UID
`SastFinding.rule.name`	NAME
`SastFinding.rule.owasp_names`	OWASP_CATEGORIES
`SastFinding.rule.subcategories`	TAGS
`SastFinding.rule.subcategories`	RULE_SUBCATEGORIES
`SastFinding.rule.vulnerability_classes`	VULNERABILITY_CLASSES
`SastFinding.severity`	SEVERITY
`SastFinding.severity`	SOURCE_SEVERITY
`SastFinding.severity`	SEVERITY_SCORE

OpenSourceFinding

Source Field Name	SDM Attribute
Generated (sync timestamp)	LAST_CAPTURED
`ScaFinding.confidence`	CONFIDENCE
`ScaFinding.created_at`	CREATED_AT
`ScaFinding.external_ticket.external_slug`	EXTERNAL_TICKET_SLUG
`ScaFinding.external_ticket.id`	EXTERNAL_TICKET_ID
`ScaFinding.external_ticket.linked_issue_ids`	EXTERNAL_TICKET_LINKED_IDS
`ScaFinding.external_ticket.url`	EXTERNAL_TICKET_URL
`ScaFinding.first_seen_scan_id`	FIRST_SEEN_SCAN_ID
`ScaFinding.found_dependency.ecosystem`	FOUND_DEP_ECOSYSTEM
`ScaFinding.found_dependency.lockfile_line_url`	FOUND_DEP_LOCKFILE_LINE_URL
`ScaFinding.found_dependency.package`	FOUND_DEP_PACKAGE
`ScaFinding.found_dependency.transitivity`	FOUND_DEP_TRANSITIVITY
`ScaFinding.found_dependency.version`	FOUND_DEP_VERSION
`ScaFinding.id`	UID
`ScaFinding.is_malicious`	IS_MALICIOUS
`ScaFinding.line_of_code_url`	LINE_OF_CODE_URL
`ScaFinding.location`	PATH
`ScaFinding.location.column`	START_COLUMN
`ScaFinding.location.end_column`	END_COLUMN
`ScaFinding.location.end_line`	END_LINE
`ScaFinding.location.line`	START_LINE
`ScaFinding.match_based_id`	MATCH_BASED_ID
`ScaFinding.reachability`	REACHABILITY
`ScaFinding.reachable_condition`	REACHABLE_CONDITION
`ScaFinding.ref`	SOURCE_REF
`ScaFinding.relevant_since`	FIRST_FOUND
`ScaFinding.repository.name`	TARGETS
`ScaFinding.repository.url`	REPOSITORY_URL
`ScaFinding.review_comments[].external_discussion_id`	REVIEW_COMMENT_DISCUSSION_IDS
`ScaFinding.review_comments[].external_note_id`	REVIEW_COMMENT_NOTE_IDS
`ScaFinding.rule.message`	RULE_MESSAGE
`ScaFinding.rule.name`	TYPE
`ScaFinding.rule_name`	RULE_NAME
`ScaFinding.state`	STATE
`ScaFinding.state_updated_at`	STATE_UPDATED_AT
`ScaFinding.status`	PROVIDER_STATUS
`ScaFinding.status`	SOURCE_STATUS
`ScaFinding.syntactic_id`	SYNTACTIC_ID
`ScaFinding.triage_comment`	TRIAGED_COMMENT
`ScaFinding.triage_reason`	TRIAGE_REASON
`ScaFinding.triage_state`	TRIAGE_STATE
`ScaFinding.triaged_at`	TRIAGED_AT
`ScaFinding.triaged_at`	LAST_FIXED
`ScaFinding.usage`	USAGE

OpenSourceFindingDefinition

Source Field Name	SDM Attribute
Generated (sync timestamp)	LAST_CAPTURED
`ScaFinding.categories`	CATEGORIES
`ScaFinding.epss_score.percentile`	EPSS_PERCENTILE
`ScaFinding.epss_score.score`	EPSS_SCORE
`ScaFinding.fix_recommendations[]`	FIX_RECOMMENDATIONS
`ScaFinding.rule.category`	RULE_CATEGORY
`ScaFinding.rule.confidence`	RULE_CONFIDENCE
`ScaFinding.rule.cwe_names`	CWE_IDS
`ScaFinding.rule.cwe_names`	WEAKNESSES
`ScaFinding.rule.message`	DESCRIPTION
`ScaFinding.rule.message or ScaFinding.fix_recommendations[]`	RECOMMENDATION
`ScaFinding.rule.name`	UID
`ScaFinding.rule.name`	NAME
`ScaFinding.rule.owasp_names`	OWASP_CATEGORIES
`ScaFinding.rule.subcategories`	TAGS
`ScaFinding.rule.subcategories`	RULE_SUBCATEGORIES
`ScaFinding.rule.vulnerability_classes`	VULNERABILITY_CLASSES
`ScaFinding.severity`	SEVERITY
`ScaFinding.severity`	SOURCE_SEVERITY
`ScaFinding.severity`	SEVERITY_SCORE
`ScaFinding.vulnerability_identifier`	CVE_IDS
`ScaFinding.vulnerability_identifier`	CVE_RECORDS

Operations & API

Expand each connector object to see its operation options, delta-sync behavior, and the API it uses. See connector operation options for how to apply operation options (keys and values are case-sensitive).

CodeProject

Operation options

This object does not support any operation options.

Delta sync

Not supported. The connector performs a full sync of CodeProject on every run and applies no incremental date filter.

API

Type: REST · Endpoint: GET /api/v1/deployments/{slug}/projects

StaticCodeFinding

Operation options

This object does not support any operation options.

Delta sync

Not supported. The connector performs a full sync of StaticCodeFinding on every run and applies no incremental date filter.

API

Type: REST · Endpoint: GET /api/v1/deployments/{slug}/findings?issue_type=sast

StaticCodeFindingDefinition

Operation options

This object does not support any operation options.

Delta sync

Not supported. The connector performs a full sync of StaticCodeFindingDefinition on every run and applies no incremental date filter.

API

Type: REST · Endpoint: GET /api/v1/deployments/{slug}/findings?issue_type=sast

OpenSourceFinding

Operation options

This object does not support any operation options.

Delta sync

Not supported. The connector performs a full sync of OpenSourceFinding on every run and applies no incremental date filter.

API

Type: REST · Endpoint: GET /api/v1/deployments/{slug}/findings?issue_type=sca

OpenSourceFindingDefinition

Operation options

This object does not support any operation options.

Delta sync

Not supported. The connector performs a full sync of OpenSourceFindingDefinition on every run and applies no incremental date filter.

API

Type: REST · Endpoint: GET /api/v1/deployments/{slug}/findings?issue_type=sca

Changelog

The Semgrep connector has undergone the following changes:

Version	Description	Migration Steps
3.0.7	Bug Fixes - Restored spaces in object type names for Static Code Finding, Static Code Finding Definition, Open Source Finding, and Open Source Finding Definition. The spaces were inadvertently removed in v3.0.5, which caused the platform to generate differently-cased table names and created duplicate models during synchronization.	• StaticCodeFinding, StaticCodeFindingDefinition, OpenSourceFinding, OpenSourceFindingDefinition: Object type names reverted to include spaces (e.g., `"StaticCodeFinding"` → `"Static Code Finding"`). Purge the duplicate tables created by v3.0.5/v3.0.6 (the lowercased variants without spaces) and perform a re-sync to repopulate the original tables.

Data retrieved from Semgrep​

Model relationships​

Connection settings​

Attribute mappings​

Operations & API​

Changelog​

Data retrieved from Semgrep

Model relationships

Connection settings

Attribute mappings

Operations & API

Changelog