Semgrep Cloud Platform API
The Semgrep Cloud Platform REST API provides programmatic access to the Semgrep AppSec Platform — the SaaS layer above the open-source Semgrep CLI engine. The API enables querying SAST findings (Semgrep Code), dependency vulnerability alerts (Semgrep Supply Chain), secrets detection results (Semgrep Secrets), and managing deployments, projects, and rule policies. Findings are the primary entity: each finding has a rule ID, severity, CWE, location (file + line), triage status (open/ignored/fixed/reviewing), and for supply chain findings, the CVE, package, and fix version. Agents use this API to build automated triage workflows (bulk-close false positives by rule or file path), feed findings into ticketing systems, generate security posture metrics, and enforce policy gates in CI/CD. Note: scan triggering is NOT available via the API — scans run through the Semgrep CLI in CI/CD pipelines; the API is purely for reading results and managing finding state.
Score Breakdown
⚙ Agent Friendliness
🔒 Security
HTTPS enforced everywhere. API tokens inherit user role permissions — no fine-grained scopes per operation. Tokens do not expire by default (manual rotation required). Source code is uploaded to Semgrep Cloud for scanning — consider self-hosted Semgrep deployment for sensitive IP. Webhook payloads signed with HMAC-SHA256. SOC2 Type II certified. EU data residency available. Scan results contain first-party code vulnerability details — restrict API token access carefully.
⚡ Reliability
Best When
A security engineering team runs Semgrep in CI/CD at scale and needs to build automated triage, reporting, or remediation workflows on top of SAST findings across dozens or hundreds of repositories.
Avoid When
You are on the Free plan (no API), need to trigger scans programmatically, or want runtime/DAST capabilities rather than static source analysis.
Use Cases
- • Querying all open SAST findings across a deployment for security dashboard reporting
- • Bulk-triaging false positives — bulk-ignore findings matching specific rule IDs or file path patterns
- • Fetching supply chain vulnerability alerts for a specific package ecosystem (npm, PyPI) to drive automated dependency updates
- • Integrating Semgrep findings into Jira, Linear, or PagerDuty via webhook or polling
- • Generating weekly security posture metrics by project — tracking open findings over time
- • Fetching secrets detection findings for immediate credential rotation workflows
- • Monitoring new high-severity findings introduced in the last 24 hours across all projects
Not For
- • Triggering new scans on demand — scans only run via CLI/CI; the API reads existing results
- • Teams on the Free plan — API access requires Teams or Enterprise subscription
- • DAST, runtime security monitoring, or container image scanning
- • Binary analysis or languages with minimal Semgrep rule coverage (Perl, COBOL, etc.)
- • Teams wanting self-hosted results storage without Semgrep Cloud subscription
Interface
Authentication
Bearer token authentication using API tokens generated in Semgrep AppSec Platform settings (Settings → Tokens). Token is organization-scoped — it inherits the role of the creating user. No fine-grained permission scopes on tokens: a token created by an admin gets admin access; one created by a member gets member access. For agents, create a dedicated API token from a service account or lowest-privilege role. Token expiry: tokens do not expire by default — rotate them manually. No machine-to-machine OAuth2 flow. Webhook payloads are signed with HMAC-SHA256 using a shared secret configured per webhook endpoint.
Pricing
Each Semgrep product (Code, Supply Chain, Secrets) is priced separately on Teams tier — full coverage requires purchasing all three. Enterprise bundles everything. API access is gated behind paid plans — free-tier agents will receive 403 errors.
Agent Metadata
Known Gotchas
- ⚠ Scan triggering via API is not supported — scans only run through the Semgrep CLI in CI/CD pipelines; agents querying for fresh results after a code push must wait for the CI scan to complete and results to sync to the platform (typically 5-15 minutes) before the API reflects updated findings
- ⚠ API access is gated behind Teams or Enterprise subscription — agents on Free accounts will receive 403 errors; the error response does not include an upgrade link or indicate the plan restriction
- ⚠ Deployment ID (not org name or slug) is required as a path parameter for most findings and project endpoints — fetch it once from GET /deployments and cache it; the deployment ID is a stable UUID that does not change
- ⚠ Findings have a 4-state triage machine (open, ignored, fixed, reviewing) — agents must understand valid state transitions; attempting to move a 'fixed' finding back to 'open' via PUT will fail; use 'reviewing' as intermediate state
- ⚠ Supply Chain findings (from Semgrep Supply Chain) and Code findings (from Semgrep Code) use different response schemas under the same /findings endpoint — agents must branch logic on the 'source_type' field or use separate endpoint filters to avoid schema mismatches
- ⚠ Rule IDs are composite dot-separated strings (e.g., 'p/javascript.lang.security.audit.path-traversal.path-join-resolve-traversal') — they must be URL-encoded when used as query parameters; unencoded dots in rule IDs may cause 400 errors or incorrect filter matches
- ⚠ Webhooks deliver findings in near-real-time but may arrive out of order for bulk scan completions — agents consuming webhooks must handle deduplication by finding ID and treat repeated delivery of the same finding as idempotent
- ⚠ The 'since' timestamp filter uses ISO 8601 format but is compared against the finding's 'first_seen' timestamp, not 'last_seen' or 'updated_at' — agents polling for 'new' findings since last check must use 'first_seen_at' not 'updated_at'
Alternatives
Full Evaluation Report
Detailed scoring breakdown, competitive positioning, security analysis, and improvement recommendations for Semgrep Cloud Platform API.
Scores are editorial opinions as of 2026-03-06.