From 8376e6d104aee8c0ee0f0b827a6a5004fd7c2599 Mon Sep 17 00:00:00 2001 From: Abhijna Parigi Date: Mon, 8 Jun 2026 11:05:54 -0700 Subject: [PATCH 1/3] autofix github permissions --- docs/deployment/checklist.mdx | 4 ++++ .../triage-remediation/autofix.mdx | 19 ++++++++++++++++++- .../triage-and-remediation.mdx | 2 ++ 3 files changed, 24 insertions(+), 1 deletion(-) diff --git a/docs/deployment/checklist.mdx b/docs/deployment/checklist.mdx index 285548931..d8826fe06 100644 --- a/docs/deployment/checklist.mdx +++ b/docs/deployment/checklist.mdx @@ -240,6 +240,10 @@ Lets Semgrep configure itself to run in CI by writing to .github/workflows/semgr Allows Semgrep Multimodal to fetch source code files on-demand to construct AI prompts. + +**Autofix** (Semgrep Code and Semgrep Supply Chain upgrade PRs) needs **Contents: Read and write** on the private app, plus other permissions, so Semgrep can clone and push branches and open draft PRs. For a breakdown of Git operations versus REST endpoints, see [GitHub permissions and API usage for Autofix](/semgrep-code/triage-remediation/autofix#github-permissions-and-api-usage-for-autofix). + + diff --git a/docs/semgrep-code/triage-remediation/autofix.mdx b/docs/semgrep-code/triage-remediation/autofix.mdx index 52554de59..d94c5aa72 100644 --- a/docs/semgrep-code/triage-remediation/autofix.mdx +++ b/docs/semgrep-code/triage-remediation/autofix.mdx @@ -1,7 +1,7 @@ --- title: "Autofix for Semgrep Code (beta)" sidebarTitle: "Autofix (beta)" -description: "Semgrep’s Autofix feature uses AI to generate proposed code changes for Semgrep Code findings." +description: "Semgrep’s Autofix feature uses AI to generate proposed code changes for Semgrep Code findings, including required GitHub App permissions and how Semgrep accesses your repository." --- @@ -144,3 +144,20 @@ Because the code changes displayed on findings and PRs are generated separately, At this time, Semgrep Memories do not directly influence Autofix PR generation. Memories may affect PRs indirectly through remediation guidance. If general remediation guidance has been generated and includes information derived from memories, that guidance is passed into the PR generation process. However, memories themselves are not currently sent as direct input when generating the PR. + +## GitHub permissions and API usage for Autofix + +Autofix uses your **private Semgrep GitHub App** with the permissions below. Use this section for security reviews (for example, which GitHub operations require **Contents: Read and write**). + +### Repository permissions + +| GitHub App permission | Why Autofix needs it | +| :--- | :--- | +| **Contents: Read** | Clone the repository over HTTPS (shallow, single-branch) so Semgrep can analyze the code and generate a fix. This uses GitHub's Smart HTTP Git protocol (`git-upload-pack`). | +| **Contents: Write** | Push the Autofix branch back to the repository. This uses GitHub's Smart HTTP Git protocol (`git-receive-pack`). | +| **Metadata: Read** | Read repository metadata, including the default branch, using `GET /repos/{owner}/{repo}`. | +| **Pull requests: Write** | Open a **draft** pull request using `POST /repos/{owner}/{repo}/pulls`. | + +### How repository contents are accessed + +Semgrep does **not** read or write file contents through the REST Contents API (`GET` or `PUT` `/repos/{owner}/{repo}/contents/{path}`). Autofix reads and writes code only through the **Git transport layer** (clone and push), which still requires the GitHub **Contents** permissions above. diff --git a/docs/semgrep-supply-chain/triage-and-remediation.mdx b/docs/semgrep-supply-chain/triage-and-remediation.mdx index 5321ad086..cb82789ff 100644 --- a/docs/semgrep-supply-chain/triage-and-remediation.mdx +++ b/docs/semgrep-supply-chain/triage-and-remediation.mdx @@ -80,6 +80,7 @@ To access all upgrade guidance and Autofix features, you must have: - Semgrep Multimodal [enabled](/semgrep-multimodal/getting-started). - The **private** GitHub app for Semgrep installed. - The app must have [**Read and write** access on the **Contents** permission](#grant-read-and-write-access-to-a-private-github-semgrep-app) to open Autofix PRs. Current customers must manually enable this if they haven't already. + - For which GitHub operations and endpoints that entails (Git clone and push versus REST), see [GitHub permissions and API usage for Autofix](/semgrep-code/triage-remediation/autofix#github-permissions-and-api-usage-for-autofix). - Optionally: if you have [a private registry, connect it to Semgrep](#connect-a-private-registry-to-semgrep) to improve results. ### Features and permissions required @@ -191,6 +192,7 @@ To prevent security vulnerabilities from being merged into your codebase, see [S ### Grant **Read and write** access to a private GitHub Semgrep app +Autofix PRs for Supply Chain use the same private GitHub App permissions and GitHub access patterns as [Autofix for Semgrep Code](/semgrep-code/triage-remediation/autofix#github-permissions-and-api-usage-for-autofix). If you are an **existing** Semgrep user and you need to change From df4e4409dc88631bf0970d6b246757a925e53795 Mon Sep 17 00:00:00 2001 From: Abhijna Parigi Date: Mon, 8 Jun 2026 11:40:16 -0700 Subject: [PATCH 2/3] clean up --- docs/semgrep-supply-chain/triage-and-remediation.mdx | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/docs/semgrep-supply-chain/triage-and-remediation.mdx b/docs/semgrep-supply-chain/triage-and-remediation.mdx index cb82789ff..3a1f35aca 100644 --- a/docs/semgrep-supply-chain/triage-and-remediation.mdx +++ b/docs/semgrep-supply-chain/triage-and-remediation.mdx @@ -78,9 +78,7 @@ To access all upgrade guidance and Autofix features, you must have: - Enabled upgrade guidance Semgrep AppSec Platform by going to **Settings > General > Supply Chain** - At least one repository with full [scans with Semgrep Supply Chain](/semgrep-supply-chain/getting-started). - Semgrep Multimodal [enabled](/semgrep-multimodal/getting-started). -- The **private** GitHub app for Semgrep installed. - - The app must have [**Read and write** access on the **Contents** permission](#grant-read-and-write-access-to-a-private-github-semgrep-app) to open Autofix PRs. Current customers must manually enable this if they haven't already. - - For which GitHub operations and endpoints that entails (Git clone and push versus REST), see [GitHub permissions and API usage for Autofix](/semgrep-code/triage-remediation/autofix#github-permissions-and-api-usage-for-autofix). +- The **private** GitHub app for Semgrep installed. The app must have [**Read and write** access on the **Contents** permission](#grant-read-and-write-access-to-a-private-github-semgrep-app) to open Autofix PRs. Current customers must manually enable this if they haven't already. - Optionally: if you have [a private registry, connect it to Semgrep](#connect-a-private-registry-to-semgrep) to improve results. ### Features and permissions required From 6c064125d4701d03ed63ca83616fee813c95c7d0 Mon Sep 17 00:00:00 2001 From: Abhijna Parigi Date: Mon, 8 Jun 2026 11:43:20 -0700 Subject: [PATCH 3/3] clean up --- docs/semgrep-code/triage-remediation/autofix.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/semgrep-code/triage-remediation/autofix.mdx b/docs/semgrep-code/triage-remediation/autofix.mdx index d94c5aa72..6e0e90306 100644 --- a/docs/semgrep-code/triage-remediation/autofix.mdx +++ b/docs/semgrep-code/triage-remediation/autofix.mdx @@ -1,7 +1,7 @@ --- title: "Autofix for Semgrep Code (beta)" sidebarTitle: "Autofix (beta)" -description: "Semgrep’s Autofix feature uses AI to generate proposed code changes for Semgrep Code findings, including required GitHub App permissions and how Semgrep accesses your repository." +description: "Semgrep’s Autofix feature uses AI to generate proposed code changes for Semgrep Code findings. This page also describes required GitHub App permissions and how Semgrep accesses your repository." ---