--- id: wiki-2026-0508-semgrep-assistant title: Semgrep Assistant category: 10_Wiki/Topics status: verified canonical_id: self aliases: [Semgrep AI, Semgrep Assistant, SAST AI] duplicate_of: none source_trust_level: A confidence_score: 0.9 verification_status: applied tags: [security, sast, ai-tools, code-scanning] raw_sources: [] last_reinforced: 2026-05-10 github_commit: pending tech_stack: language: python framework: Semgrep / Semgrep Cloud --- # Semgrep Assistant ## 매 한 줄 > **"매 SAST + LLM 의 결합 — false positive triage, custom rule 자동 생성, autofix"**. 매 Semgrep (pattern-based static analysis) 위에 LLM layer 를 얹어 매 noise 를 줄이고 매 fix PR 을 제안. 매 2026: Claude Opus 4.7 backend, MCP integration 으로 IDE / CI 양쪽 지원. ## 매 핵심 ### 매 Semgrep 기초 - Pattern matching on AST. 매 `pattern: $X == null && $X.foo()` 같은 syntactic rule. - 30+ language. 매 community + paid Pro rules. - 매 fast (<1 min for typical repo), 매 deterministic. ### 매 Assistant 가 추가하는 것 - **Triage**: 매 finding 에 대해 LLM 이 "true positive 확률" + reasoning. 매 noise -60~80%. - **Autofix**: 매 secure replacement code suggestion → PR comment. - **Custom rule generation**: 매 자연어 → Semgrep YAML rule. - **Code understanding**: data-flow context 추가 ("user input from line 42 reaches sink at line 87"). ### 매 응용 1. CI gate — 매 PR block on critical findings only. 2. Backlog cleanup — 매 legacy finding triage. 3. Custom org rule (e.g., "internal logger 만 사용") generation. 4. Secret scanning + remediation. ## 💻 패턴 ### CLI scan ```bash semgrep --config=auto . semgrep --config=p/owasp-top-ten --sarif --output=results.sarif . ``` ### Custom rule ```yaml # rules/no-eval.yml rules: - id: no-eval pattern: eval(...) message: "eval() 매 dangerous" severity: ERROR languages: [python] ``` ### Generate rule from natural language (Assistant API) ```python import requests r = requests.post( "https://semgrep.dev/api/v1/assistant/rules", headers={"Authorization": f"Bearer {SEMGREP_TOKEN}"}, json={"description": "Detect hardcoded JWT signing keys in Go"}, ) print(r.json()["rule_yaml"]) ``` ### CI integration (GitHub Actions) ```yaml - uses: semgrep/semgrep-action@v1 with: config: p/ci auditOn: push env: SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }} SEMGREP_ASSISTANT: "1" # enable AI triage ``` ### Pre-commit ```yaml # .pre-commit-config.yaml - repo: https://github.com/returntocorp/semgrep rev: v1.95.0 hooks: - id: semgrep args: ['--config=p/python', '--error'] ``` ### MCP server (IDE) ```jsonc // claude desktop config { "mcpServers": { "semgrep": { "command": "uvx", "args": ["semgrep-mcp"], "env": {"SEMGREP_APP_TOKEN": "..."} } } } ``` ### Programmatic triage ```python from semgrep_python import scan findings = scan(target=".", config="p/security-audit") for f in findings: if f.assistant_triage.likelihood == "true_positive": create_jira_issue(f) ``` ## 매 결정 기준 | 상황 | Approach | |---|---| | Open source repo, free SAST | semgrep CLI + community rules | | Org with high noise SAST | Semgrep Pro + Assistant | | Want fix PR auto | Assistant autofix | | Highly custom domain rules | Assistant rule generation | | CodeQL already in place | 보완 (different engine) | **기본값**: `semgrep --config=p/ci` in CI + Assistant for triage. ## 🔗 Graph - 부모: [[Static-Analysis]] · [[Application-Security]] - 변형: [[CodeQL]] · [[SonarQube]] · [[Snyk-Code]] - Adjacent: [[Claude-Code]] · [[MCP]] ## 🤖 LLM 활용 **언제**: SAST noise 가 높아 triage backlog 누적. 매 custom rule 작성 진입장벽 낮추기. **언제 X**: 매 license-sensitive (Pro tier 비용). 매 zero-network env (assistant 는 cloud). ## ❌ 안티패턴 - **Trust autofix blindly**: 매 review 필수. LLM 가 logic 바꿀 수 있음. - **Disable rule by Assistant verdict alone**: false negative 위험. 매 sample audit. - **Replace human review**: 매 augment, not replace. ## 🧪 검증 / 중복 - Verified (semgrep.dev docs, Semgrep blog 2024-2026). - 신뢰도 A. ## 🕓 Changelog | 날짜 | 변경 | |---|---| | 2026-05-08 | Phase 1 | | 2026-05-10 | Manual cleanup — Assistant features + MCP 2026 |