Skip to main content
Unified policies allow you to choose the rules and rulesets used for Semgrep scans and define what happens to a finding after identification, such as whether a finding is monitored, generates a pull request (PR) or merge request (MR) comment, or blocks a PR or MR. With unified policies, there are two types of policy definitions available to you:
  • Detection policies, which determine what rules are used to scan your project.
  • Remediation policies, which determine what happens to the findings identified by Semgrep. These actions can include leaving PR/MR comments, blocking the PRs/MRs, creating Jira tickets, sending Slack notifications, and more.

A comparison of legacy behavior versus the new behavior

Previously, you were able to define Policies for each Semgrep product on a rule-by-rule basis. For each rule, you could determine whether findings identified based on that rule would be monitored, where the findings are only sent to Semgrep AppSec Platform for review, generate a PR or MR comment, or block a PR or MR from being merged:
Rule AMonitor
Rule BComment
Rule CBlock
Rule DBlock
With unified policies, your definitions are now split into detection and remediation policies. The following tables show the detection policy enabling the rules for all projects and the remediation policy defining the actions that occur when the specified rules generate findings:

Detection policy

Rule AEnabled.
Scope: All projects
Rule BEnabled.
Scope: All projects
Rule CEnabled.
Scope: All projects
Rule DEnabled.
Scope: All projects

Remediation policy

Automation 1NameComment on PR or MR with findings
Automation 1ScopeAll projects
Automation 1ConditionsRule is one of:
  • Rule B
Automation 1ActionsComment on the PR or MR
Automation 2NameBlock PR or MR merges with findings
Automation 2ScopeAll projects
Automation 2ConditionsRule is one of:
  • Rule C
  • Rule D
Automation 2ActionsBlock PR or MR

Next steps

Get started with unified policies