Unified policies (beta)
Unified policies allow you to choose the rules and rulesets used for Semgrep scans and define what happens to a finding after identification, such as whether a finding is monitored, generates a pull request (PR) or merge request (MR) comment, or blocks a PR or MR. With unified policies, there are two types of policy definitions available to you:
- Detection policies, which determine what rules are used to scan your project
- Remediation policies, which determine what happens to the findings identified by Semgrep. These actions can include leaving PR/MR comments, blocking the PRs/MRs, creating Jira tickets, sending Slack notifications, and more.
A comparison of legacy behavior versus the new behavior
Previously, you were able to define Policies for each Semgrep product on a rule-by-rule basis. For each rule, you could determine whether findings identified based on that rule would be monitored, where the findings are only sent to Semgrep AppSec Platform for review, generate a PR or MR comment, or block a PR or MR from being merged:
| Rule A | Monitor |
| Rule B | Comment |
| Rule C | Block |
| Rule D | Block |
With unified policies, your definitions are now split into detection and remediation policies:
| Detection policy | ||
|---|---|---|
| Rule A | Enabled. Scope: All projects | |
| Rule B | Enabled. Scope: All projects | |
| Rule C | Enabled. Scope: All projects | |
| Rule D | Enabled. Scope: All projects | |
| Remediation policy | ||
|---|---|---|
| Automation 1 | Name | Comment on PR or MR with findings |
| Scope | All projects | |
| Conditions | Rule is one of:
| |
| Actions | Comment on the PR or MR | |
| Automation 2 | Name | Block PR or MR merges with findings |
| Scope | All projects | |
| Conditions | Rule is one of:
| |
| Actions | Block PR or MR | |
Next steps
Not finding what you need in this doc? Ask questions in our Community Slack group, or see Support for other ways to get help.