Overview
The Semgrep integration connects your Semgrep deployment to Vanta using a read-only API token, importing code analysis results so Vanta can monitor your application security posture and run automated compliance tests. Engineering and security teams using Semgrep for SAST, secrets detection, or SCA can use this integration to track those results automatically in their compliance program.
Estimated setup time: Under 5 minutes
Use cases and capabilities
This integration pulls Semgrep code findings, secrets, supply chain vulnerabilities, project data, and scan history into Vanta. Once connected, your Semgrep results power automated tests covering vulnerability management, secrets remediation tracking, and scan frequency compliance — without manual reporting or data exports.
Code vulnerability management: SAST findings from your Semgrep scans are surfaced in Vanta as security alerts, categorized by severity. Vanta tracks whether they are being addressed within your SLA windows.
Secrets detection tracking: Secrets findings (for example, hardcoded credentials or API keys detected in your code) are imported as security alerts and tracked through the same SLA-driven remediation workflows.
Supply chain vulnerability management: Software composition analysis (SCA) findings from your third-party dependencies are imported as vulnerabilities and tracked through Vanta's vulnerability management pipeline.
Scan coverage and frequency monitoring: Semgrep project and scan records are imported so Vanta can verify that your repositories are being scanned regularly.
ℹ️ Note: For code (SAST) findings, statuses open, reviewing, or fixing are imported. For secret findings, only open status is imported. Fixed and ignored findings are excluded. Projects with no defined branch, prefixed with local_scan/, or where branch names do not match what Vanta has stored are not tracked.
Capabilities overview
Resource / Capability | Supported | How it is used in Vanta |
Semgrep Projects | Yes | Tracked as vulnerability monitoring targets (code repositories) |
SAST code findings | Yes | Surfaced as security alerts; tracked by severity (critical, high, medium, low) |
Secrets findings | Yes | Surfaced as security alerts; tracked by severity |
SCA / supply chain findings | Yes | Tracked as vulnerabilities in the vulnerability management pipeline |
Scan history | Yes | Used to verify scan recency and coverage per project |
Scan frequency monitoring | Yes | Configurable window |
Multiple Semgrep connections | Yes | Each connection requires its own API token and account name |
Write access / remediation actions | No | Read-only — we do not modify Semgrep data |
Local scans | No | Projects prefixed with local_scan/ are not imported |
Prerequisites
Before starting setup, confirm the following:
You have a Vanta admin account.
You have a Semgrep account with access to the organization whose results you want to import.
You have permission in Semgrep to create an API token. The token inherits the permissions of the user who creates it, so use an account with full organization access.
💡 Tip: Your API token must have access to exactly one Semgrep deployment. If the token has access to zero or more than one deployment, data sync will fail after connecting. Use a separate token for each Semgrep organization.
Setup guide
Step 1: Create a Semgrep API token
Log in to your Semgrep account at https://semgrep.dev/.
Navigate to Settings > Tokens (https://semgrep.dev/orgs/-/settings/tokens).
Click Create new token.
Give your token a name (for example, Vanta) and leave only Web API checked.
Copy the token. You will paste it into Vanta in the next step.
💡 Tip: Store the token somewhere safe before closing the page. Semgrep only displays it once.
Step 2: Add the token in Vanta
In Vanta, go to Integrations and click Add integration.
Search for Semgrep and click the integration tile.
Click Connect.
Enter an Account name. This is the display name Vanta uses to identify this connection. It is especially useful if you add multiple Semgrep connections later.
Paste your token into the API token field.
Click Validate and store.
Step 3: Confirm the connection
After saving, the Semgrep integration should appear as Connected in your Vanta integrations list. We begin an initial sync immediately. Once data has been imported, your Semgrep resources and related tests appear in Vanta.
Add another Semgrep connection
You can connect more than one Semgrep account by repeating these steps.
Go to Integrations and find the connected Semgrep integration
Click Manage and select Edit
Click Add Connection in the Semgrep Connections modal.
All connections can be edited or removed individually.
Permissions
Read access
We use the API token you provide to read your Semgrep deployment details, projects, code findings, secrets, supply chain findings, and scan history through the Semgrep Web API.
Write access
There is no write access. We do not modify or delete any data in your Semgrep account.
Troubleshooting and FAQs
Data is not syncing
Likely cause: Your API token has access to zero or more than one Semgrep deployment. We require exactly one deployment per connection.
Fix: Generate a new API token from an account with access to exactly one deployment and reconnect.
Vanta is not showing findings from some of my projects
Likely cause: The project has no primary or default branch configured in Semgrep; the project name starts with local_scan/; or there is a branch name mismatch between what Semgrep returns and what we have stored for that asset.
Fix: Confirm each project has a defined branch and that branch names are consistent.
The integration shows as disconnected or needs reconnection
Likely cause: The API token was revoked or expired in Semgrep.
Fix: Generate a new API token and update the connection in Vanta by navigating to Integrations, finding the Semgrep connection, and editing the credential.
