2nd/10_Wiki/Topics/AI_and_ML/Semgrep Assistant.md

---
id: wiki-2026-0508-semgrep-assistant
title: Semgrep Assistant
category: 10_Wiki/Topics
status: verified
canonical_id: self
aliases: [Semgrep AI, Semgrep Assistant, SAST AI]
duplicate_of: none
source_trust_level: A
confidence_score: 0.9
verification_status: applied
tags: [security, sast, ai-tools, code-scanning]
raw_sources: []
last_reinforced: 2026-05-10
github_commit: pending
tech_stack:
  language: python
  framework: Semgrep / Semgrep Cloud
---

# Semgrep Assistant

## 매 한 줄
> **"매 SAST + LLM 의 결합 — false positive triage, custom rule 자동 생성, autofix"**. 매 Semgrep (pattern-based static analysis) 위에 LLM layer 를 얹어 매 noise 를 줄이고 매 fix PR 을 제안. 매 2026: Claude Opus 4.7 backend, MCP integration 으로 IDE / CI 양쪽 지원.

## 매 핵심

### 매 Semgrep 기초
- Pattern matching on AST. 매 `pattern: $X == null && $X.foo()` 같은 syntactic rule.
- 30+ language. 매 community + paid Pro rules.
- 매 fast (<1 min for typical repo), 매 deterministic.

### 매 Assistant 가 추가하는 것
- **Triage**: 매 finding 에 대해 LLM 이 "true positive 확률" + reasoning. 매 noise -60~80%.
- **Autofix**: 매 secure replacement code suggestion → PR comment.
- **Custom rule generation**: 매 자연어 → Semgrep YAML rule.
- **Code understanding**: data-flow context 추가 ("user input from line 42 reaches sink at line 87").

### 매 응용
1. CI gate — 매 PR block on critical findings only.
2. Backlog cleanup — 매 legacy finding triage.
3. Custom org rule (e.g., "internal logger 만 사용") generation.
4. Secret scanning + remediation.

## 💻 패턴

### CLI scan
```bash
semgrep --config=auto .
semgrep --config=p/owasp-top-ten --sarif --output=results.sarif .
```

### Custom rule
```yaml
# rules/no-eval.yml
rules:
  - id: no-eval
    pattern: eval(...)
    message: "eval() 매 dangerous"
    severity: ERROR
    languages: [python]
```

### Generate rule from natural language (Assistant API)
```python
import requests
r = requests.post(
    "https://semgrep.dev/api/v1/assistant/rules",
    headers={"Authorization": f"Bearer {SEMGREP_TOKEN}"},
    json={"description": "Detect hardcoded JWT signing keys in Go"},
)
print(r.json()["rule_yaml"])
```

### CI integration (GitHub Actions)
```yaml
- uses: semgrep/semgrep-action@v1
  with:
    config: p/ci
    auditOn: push
  env:
    SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }}
    SEMGREP_ASSISTANT: "1"  # enable AI triage
```

### Pre-commit
```yaml
# .pre-commit-config.yaml
- repo: https://github.com/returntocorp/semgrep
  rev: v1.95.0
  hooks:
    - id: semgrep
      args: ['--config=p/python', '--error']
```

### MCP server (IDE)
```jsonc
// claude desktop config
{
  "mcpServers": {
    "semgrep": {
      "command": "uvx",
      "args": ["semgrep-mcp"],
      "env": {"SEMGREP_APP_TOKEN": "..."}
    }
  }
}
```

### Programmatic triage
```python
from semgrep_python import scan
findings = scan(target=".", config="p/security-audit")
for f in findings:
    if f.assistant_triage.likelihood == "true_positive":
        create_jira_issue(f)
```

## 매 결정 기준
| 상황 | Approach |
|---|---|
| Open source repo, free SAST | semgrep CLI + community rules |
| Org with high noise SAST | Semgrep Pro + Assistant |
| Want fix PR auto | Assistant autofix |
| Highly custom domain rules | Assistant rule generation |
| CodeQL already in place | 보완 (different engine) |

**기본값**: `semgrep --config=p/ci` in CI + Assistant for triage.

## 🔗 Graph
- 부모: [[Static-Analysis]] · [[Application-Security]]
- 변형: [[CodeQL]] · [[SonarQube]] · [[Snyk-Code]]
- Adjacent: [[Claude-Code]] · [[MCP]]

## 🤖 LLM 활용
**언제**: SAST noise 가 높아 triage backlog 누적. 매 custom rule 작성 진입장벽 낮추기.
**언제 X**: 매 license-sensitive (Pro tier 비용). 매 zero-network env (assistant 는 cloud).

## ❌ 안티패턴
- **Trust autofix blindly**: 매 review 필수. LLM 가 logic 바꿀 수 있음.
- **Disable rule by Assistant verdict alone**: false negative 위험. 매 sample audit.
- **Replace human review**: 매 augment, not replace.

## 🧪 검증 / 중복
- Verified (semgrep.dev docs, Semgrep blog 2024-2026).
- 신뢰도 A.

## 🕓 Changelog
| 날짜 | 변경 |
|---|---|
| 2026-05-08 | Phase 1 |
| 2026-05-10 | Manual cleanup — Assistant features + MCP 2026 |