From 6c9ae949c6e87d3d3ac400957737ef52bfd32de2 Mon Sep 17 00:00:00 2001 From: Abhijna Parigi Date: Thu, 16 Apr 2026 11:12:46 -0400 Subject: [PATCH 1/2] api behavior to tech docs --- docs/deployment/deployment-checklist.md | 4 ++++ .../semgrep-code/triage-remediation/autofix.md | 18 +++++++++++++++++- .../semgrep-supply-chain/triage-remediation.md | 3 +++ 3 files changed, 24 insertions(+), 1 deletion(-) diff --git a/docs/deployment/deployment-checklist.md b/docs/deployment/deployment-checklist.md index 6c3561cbb9..11709fcd19 100644 --- a/docs/deployment/deployment-checklist.md +++ b/docs/deployment/deployment-checklist.md @@ -294,6 +294,10 @@ These features require **read access** to your code. +:::tip +**Autofix** (Semgrep Code and Semgrep Supply Chain upgrade PRs) needs **Contents: Read and write** on the private app, plus other permissions, so Semgrep can clone and push branches and open draft PRs. For a breakdown of Git operations versus REST endpoints, see [GitHub permissions and API usage for Autofix](/semgrep-code/triage-remediation/autofix#github-permissions-and-api-usage-for-autofix). +::: + diff --git a/docs/semgrep-code/triage-remediation/autofix.md b/docs/semgrep-code/triage-remediation/autofix.md index a9f4203c37..82e3e135b3 100644 --- a/docs/semgrep-code/triage-remediation/autofix.md +++ b/docs/semgrep-code/triage-remediation/autofix.md @@ -1,6 +1,6 @@ --- title: Autofix (beta) -description: Use Semgrep Autofix to automatically generate a fix PR for Semgrep Code findings. +description: Use Semgrep Autofix to automatically generate a fix PR for Semgrep Code findings, including required GitHub App permissions and how Semgrep accesses your repository. tags: - Semgrep Code - Semgrep AppSec Platform @@ -38,6 +38,22 @@ To use Autofix, you must meet the following requirements: +## GitHub permissions and API usage for Autofix {#github-permissions-and-api-usage-for-autofix} + +Autofix uses your **private Semgrep GitHub App** with the permissions below. Use this section for security reviews (for example, which GitHub operations require **Contents: Read and write**). + +### Repository permissions + +| GitHub App permission | Why Autofix needs it | +| --- | --- | +| **Contents: Read** | Clone the repository over HTTPS (shallow, single-branch) so Semgrep can analyze the code and generate a fix. This uses GitHub’s Smart HTTP Git protocol (`git-upload-pack`). | +| **Contents: Write** | Push the Autofix branch back to the repository. This uses GitHub’s Smart HTTP Git protocol (`git-receive-pack`). | +| **Metadata: Read** | Read repository metadata, including the default branch, using `GET /repos/{owner}/{repo}`. | +| **Pull requests: Write** | Open a **draft** pull request using `POST /repos/{owner}/{repo}/pulls`. | + +### How repository contents are accessed + +Semgrep does **not** read or write file contents through the REST [Contents API](https://docs.github.com/en/rest/repos/contents) (`GET` or `PUT` `/repos/{owner}/{repo}/contents/{path}`). Autofix reads and writes code only through the **Git transport layer** (clone and push), which still requires the GitHub **Contents** permissions above. ## Use Autofix diff --git a/docs/semgrep-supply-chain/triage-remediation.md b/docs/semgrep-supply-chain/triage-remediation.md index 1ebf542d0c..76c1e4cc80 100644 --- a/docs/semgrep-supply-chain/triage-remediation.md +++ b/docs/semgrep-supply-chain/triage-remediation.md @@ -88,6 +88,7 @@ To access all upgrade guidance and Autofix features, you must have: - Semgrep Multimodal [enabled](/semgrep-multimodal/getting-started). - The **private** GitHub app for Semgrep installed. - The app must have [**Read and write** access on the **Contents** permission](#grant-read-and-write-access-to-a-private-github-semgrep-app) to open Autofix PRs. Current customers must manually enable this if they haven't already. + - For which GitHub operations and endpoints that entails (Git clone and push versus REST), see [GitHub permissions and API usage for Autofix](/semgrep-code/triage-remediation/autofix#github-permissions-and-api-usage-for-autofix). - Optionally: if you have [a private registry, connect it to Semgrep](#connect-a-private-registry-to-semgrep) to improve results. ### Features and permissions required @@ -161,6 +162,8 @@ To prevent security vulnerabilities from being merged into your codebase, see [S ### Grant **Read and write** access to a private GitHub Semgrep app +Autofix PRs for Supply Chain use the same private GitHub App permissions and GitHub access patterns as [Autofix for Semgrep Code](/semgrep-code/triage-remediation/autofix#github-permissions-and-api-usage-for-autofix). + ### Connect a private registry to Semgrep From 587aa66aad919061312db166388e794057decc21 Mon Sep 17 00:00:00 2001 From: Abhijna Parigi Date: Tue, 28 Apr 2026 16:21:08 -0700 Subject: [PATCH 2/2] autofix api permissions --- .../triage-remediation/autofix.md | 30 +++++++++---------- 1 file changed, 14 insertions(+), 16 deletions(-) diff --git a/docs/semgrep-code/triage-remediation/autofix.md b/docs/semgrep-code/triage-remediation/autofix.md index 82e3e135b3..b835e2c0cb 100644 --- a/docs/semgrep-code/triage-remediation/autofix.md +++ b/docs/semgrep-code/triage-remediation/autofix.md @@ -38,22 +38,6 @@ To use Autofix, you must meet the following requirements: -## GitHub permissions and API usage for Autofix {#github-permissions-and-api-usage-for-autofix} - -Autofix uses your **private Semgrep GitHub App** with the permissions below. Use this section for security reviews (for example, which GitHub operations require **Contents: Read and write**). - -### Repository permissions - -| GitHub App permission | Why Autofix needs it | -| --- | --- | -| **Contents: Read** | Clone the repository over HTTPS (shallow, single-branch) so Semgrep can analyze the code and generate a fix. This uses GitHub’s Smart HTTP Git protocol (`git-upload-pack`). | -| **Contents: Write** | Push the Autofix branch back to the repository. This uses GitHub’s Smart HTTP Git protocol (`git-receive-pack`). | -| **Metadata: Read** | Read repository metadata, including the default branch, using `GET /repos/{owner}/{repo}`. | -| **Pull requests: Write** | Open a **draft** pull request using `POST /repos/{owner}/{repo}/pulls`. | - -### How repository contents are accessed - -Semgrep does **not** read or write file contents through the REST [Contents API](https://docs.github.com/en/rest/repos/contents) (`GET` or `PUT` `/repos/{owner}/{repo}/contents/{path}`). Autofix reads and writes code only through the **Git transport layer** (clone and push), which still requires the GitHub **Contents** permissions above. ## Use Autofix @@ -104,6 +88,20 @@ At this time, Semgrep Memories do not directly influence Autofix PR generation. Memories may affect PRs indirectly through remediation guidance. If general remediation guidance has been generated and includes information derived from memories, that guidance is passed into the PR generation process. However, memories themselves are not currently sent as direct input when generating the PR. +## GitHub permissions and API usage for Autofix {#github-permissions-and-api-usage-for-autofix} + +Autofix uses your **private Semgrep GitHub App** with the permissions below. Use this section for security reviews (for example, which GitHub operations require **Contents: Read and write**). + +### Repository permissions + +| GitHub App permission | Why Autofix needs it | +| --- | --- | +| **Contents: Read** | Clone the repository over HTTPS (shallow, single-branch) so Semgrep can analyze the code and generate a fix. This uses GitHub’s Smart HTTP Git protocol (`git-upload-pack`). | +| **Contents: Write** | Push the Autofix branch back to the repository. This uses GitHub’s Smart HTTP Git protocol (`git-receive-pack`). | +| **Metadata: Read** | Read repository metadata, including the default branch, using `GET /repos/{owner}/{repo}`. | +| **Pull requests: Write** | Open a **draft** pull request using `POST /repos/{owner}/{repo}/pulls`. | +### How repository contents are accessed +Semgrep does **not** read or write file contents through the REST Contents API (`GET` or `PUT` `/repos/{owner}/{repo}/contents/{path}`). Autofix reads and writes code only through the **Git transport layer** (clone and push), which still requires the GitHub **Contents** permissions above.