Skip to main content

Code Vulnerability Findings

Collects and reports code vulnerabilities and compliance issues identified by Semgrep's static analysis rules across various programming languages and configurations.

Sync Type: Incremental

Requirements

  • Before you connect Monad to Semgrep, you need an API token. API tokens are scoped to include all code findings from a specific account in Semgrep.
  • Please make sure that your account is on Semgrep Code Team tier to have access to the API endpoints.
  • To generate a new Semgrep API key,
  • Log in to Semgrep, and check to confirm which account you are using. If needed, switch to the account that you want to connect to Monad.
  • Click Settings > Tokens > Create new token.
  • In the dialog that appears, make sure that WebAPI is selected and Agent (CI) is deselected in the Token Scopes section.
  • In the Description, enter something like Monad Connector token so that it's clear later what this token is for.
  • Copy the Secrets Value (the token value) to a secure place so you can use it to set up the connector. Once you close this dialog, you cannot view the token value again.

Details

Monad uses the since filter on the API to determine which findings to display. This field is updated every time a request to get findings is successful with the last time a request to get findings was initiated. If this was the first time requesting for findings, a full sync of the data is performed.

Configuration

The following configuration defines the input parameters. Each field's specifications, such as type, requirements, and descriptions, are detailed below.

Settings

SettingTypeRequiredDescription
Backfill Start TimestringNoThe date to start fetching data from. If not specified, no past records will be fetched.

Secrets

SecretTypeRequiredDescription
API KeystringYesAPI Key for the Semgrep API. This is required to authenticate requests.

OCSF Conversion

The following JQ transformation converts Semgrep Code Finding data to OCSF Version 1.1.0 compliant format.

JQ Transformation

{
  class_uid: 2002, # Vulnerability Finding
  category_uid: 2, # Findings
  type_uid: 200200, # Vulnerability Finding: Unknown
  activity_id: 0, # Unknown
  severity_id: (.severity | if . == "medium" then 2 else if . == "high" then 3 else if . == "critical" then 4 else 1 end end end),
  time: (.created_at | sub("\\.[0-9]+"; "") | fromdateiso8601),
  cloud: {
    provider: "Unknown",
    account: { name: .repository.name }
  },
  finding_info: {
    uid: .id | tostring,
    title: .rule_name,
    desc: .rule_message,
    first_seen_time: (.relevant_since | sub("\\.[0-9]+"; "") | fromdateiso8601)
  },
  vulnerabilities: [{
    desc: .rule_message,
    severity: .severity,
    title: .rule_name,
    vendor_name: "Semgrep",
    first_seen_time: (.relevant_since | sub("\\.[0-9]+"; "") | fromdateiso8601),
    last_seen_time: (.created_at | sub("\\.[0-9]+"; "") | fromdateiso8601),
    cwe: {
      uid: (if .rule.cwe_names and .rule.cwe_names[0] then (.rule.cwe_names[0] | split("-")[1]) else null end),
      caption: (if .rule.cwe_names and .rule.cwe_names[0] then (.rule.cwe_names[0] | split(":")[1]) else null end)
    },
    affected_code: [{
      file: {
        path: .location.file_path,
        name: (if .location.file_path then (.location.file_path | split("/")[-1]) else null end),
        type_id: 0 #Unknown
      },
      start_line: .location.line,
      end_line: .location.end_line
    }],
    references: .rule.owasp_names
  }],
  raw_data: (. | tostring),
  metadata: {
    version: "1.1.0",
    product: {
      vendor_name: "Semgrep",
      name: "Semgrep"
    }
  }
}

OCSF Mapping Details

The JQ transformation converts Semgrep Code Findings to OCSF Version 1.1.0 with the following key mappings:

Core Fields

  • Class UID: Set to 2002 (Vulnerability Finding)
  • Category UID: Set to 2 (Findings)
  • Type UID: Set to 200200 (Vulnerability Finding: Unknown)
  • Activity ID: Set to 0 (Unknown)
  • Severity ID: Mapped from Semgrep severity levels:
    • critical → 4
    • high → 3
    • medium → 2
    • others → 1 (Low)
  • Time: Extracted from created_at field with milliseconds stripped

Cloud Information

  • Provider: Set to "Unknown"
  • Account Name: Maps from repository name

Finding Information

  • UID: Finding ID converted to string
  • Title: Maps from rule name
  • Description: Maps from rule message
  • First Seen Time: Converted from relevant_since timestamp

Vulnerability Details

  • Description: Maps from rule message
  • Severity: Maps directly from Semgrep severity
  • Title: Maps from rule name
  • Vendor Name: Set to "Semgrep"
  • Time Information:
    • First Seen: Converted from relevant_since
    • Last Seen: Converted from created_at
  • CWE Information:
    • UID: Extracted from first CWE name (after "-")
    • Caption: Extracted from first CWE name (after ":")
  • Affected Code:
    • File Path: Full file path
    • File Name: Extracted from last segment of path
    • Line Numbers: Start and end lines from location data
  • References: Maps from OWASP names in rule

Metadata

  • Version: Set to "1.1.0"

  • Product:

    • Vendor name: "Semgrep"
    • Name: "Semgrep"

  • Customization

The transformation serves as a starting point and can be modified to accommodate specific requirements while maintaining OCSF compliance. The mapping prioritizes essential asset information and cloud provider detection while providing fallback values for optional fields.

Sample Record

{
  "id": 8864707,
  "ref": "refs/pull/5925/merge",
  "syntactic_id": "c3efb61b-3bfb-f81b-56f5-1b76ebc7351d",
  "match_based_id": "9f5a6aa4-0dc1-f7f1-db16-01b36ab6ce60",
  "repository": {
    "name": "Monad-Inc/monad-app",
    "url": "https://github.com/Monad-Inc/monad-app"
  },
  "line_of_code_url": "https://github.com/Monad-Inc/monad-app/blob/75e6aacf-7635-49fd-5107-9b5ab90bc569/ui/Dockerfile#L45",
  "first_seen_scan_id": 7423791,
  "state": "open",
  "triage_state": "reviewed",
  "status": "fixed",
  "confidence": "low",
  "created_at": "2025-08-11T23:46:36.154051Z",
  "relevant_since": "2025-08-11T23:46:36.154055Z",
  "rule_name": "dockerfile.best-practice.avoid-latest-version",
  "rule_message": "Images should be tagged with an explicit version to produce deterministic container images. The 'latest' tag may change the base container without warning.",
  "location": {
    "file_path": "ui/Dockerfile",
    "line": 100,
    "column": 80,
    "end_line": 209,
    "end_column": 52
  },
  "triaged_at": null,
  "triage_comment": null,
  "triage_reason": null,
  "state_updated_at": "2025-08-11T23:46:36.154115Z",
  "categories": [
    "best-practice"
  ],
  "rule": {
    "name": "dockerfile.best-practice.use-specific-version",
    "message": "Images should be tagged with an explicit version to produce deterministic container images. The 'latest' tag may change the base container without warning.",
    "confidence": "high",
    "category": "best-practice",
    "subcategories": [],
    "vulnerability_classes": [],
    "cwe_names": [],
    "owasp_names": []
  },
  "severity": "high",
  "sourcing_policy": {
    "id": 18944,
    "name": "Rule Board - PR Comments column",
    "slug": "rule-board-pr-comments"
  },
  "assistant": null
}