Webhooks access and permissions for triage by comment

docs/getting-started/scm-support.md

@@ -23,16 +23,16 @@ If any of the following conditions apply to you, you may need to add [Semgrep's
 | - | - |
 | Azure DevOps Cloud | <ul><li>Query console</li><li>Auto PRs for Supply Chain findings</li></ul> |
 | Azure DevOps Server | <ul><li>Semgrep Assistant</li><li>Semgrep Managed Scans</li><li>Pull request comments</li><li>Query console</li><li>Diff-aware scans</li><li>Sending findings to Semgrep AppSec Platform</li><li>Default branch identification</li><li>Auto PRs for Supply Chain findings</li><li>Generic secrets (requires Semgrep Assistant)</li></ul> |
-| Bitbucket Cloud Free | <ul><li>Semgrep Assistant†</li><li> Semgrep Managed Scan†</li><li> Query console</li><li>Auto PRs for Supply Chain findings</li><li>Generic secrets (requires Semgrep Assistant)</li></ul> |
-| Bitbucket Cloud Standard | <ul><li>Semgrep Assistant†</li><li>Semgrep Managed Scan†</li><li> Query console</li><li>Auto PRs for Supply Chain findings</li><li>Generic secrets (requires Semgrep Assistant)</li></ul> |
+| Bitbucket Cloud Free | <ul><li>Semgrep Assistant†</li><li> Semgrep Managed Scans†</li><li> Query console</li><li>Auto PRs for Supply Chain findings</li><li>Generic secrets (requires Semgrep Assistant)</li></ul> |
+| Bitbucket Cloud Standard | <ul><li>Semgrep Assistant†</li><li>Semgrep Managed Scans†</li><li> Query console</li><li>Auto PRs for Supply Chain findings</li><li>Generic secrets (requires Semgrep Assistant)</li></ul> |
 | Bitbucket Cloud Premium | <ul><li>Query console</li><li>Auto PRs for Supply Chain findings</li></ul> |
-| Bitbucket Data Center | <ul><li>Query console</li><li>Diff-aware scans require Bitbucket Data Center version 8.8 or later.</li><li>Auto PRs for Supply Chain findings</li></ul> |
+| Bitbucket Data Center | <ul><li>Query console</li><li>Diff-aware scans and triage by PR comment require Bitbucket Data Center version 8.8 or later.</li><li>Auto PRs for Supply Chain findings</li></ul> |
 | GitHub Free | - |
 | GitHub Pro | - |
 | GitHub Team | - |
 | GitHub Enterprise Cloud | - |
 | GitHub Enterprise Server | <ul><li>Auto PRs for Supply Chain findings</li></ul> |
-| GitLab Free | <ul><li>Semgrep Managed Scans*</li><li> Query console</li><li>Auto PRs for Supply Chain findings</li></ul> |
+| GitLab Free | <ul><li>Semgrep Managed Scans*</li><li>Triage by MR comment*</li><li> Query console</li><li>Auto PRs for Supply Chain findings</li></ul> |
 | GitLab Premium | <ul><li>Query console</li><li>Auto PRs for Supply Chain findings</li></ul> |
 | GitLab Ultimate | <ul><li>Query console</li><li>Auto PRs for Supply Chain findings</li></ul> |
 | GitLab Dedicated / Dedicated for Government | <ul><li>Query console</li><li>Auto PRs for Supply Chain findings</li></ul> |
@@ -42,7 +42,7 @@ If any of the following conditions apply to you, you may need to add [Semgrep's
 
 <strong>†</strong>Semgrep Assistant and Managed Scans require a workspace access token, which is only available to users with Bitbucket Cloud Premium.
 
-<strong>*</strong>Semgrep Managed Scans requires access to group webhooks, which is unavailable to GitLab Free users. 
+<strong>*</strong>Semgrep Managed Scans and triage by MR comment require access to group webhooks, which is unavailable to GitLab Free users. 
 
 <!--
 ## Azure DevOps

docs/semgrep-appsec-platform/azure-pr-comments.md

@@ -54,6 +54,27 @@ PR comments are enabled by default for users who have connected their Azure DevO
 1. In your Semgrep AppSec Platform account, click **Settings > Source code managers**.
 2. Check that an entry for your Azure DevOps project exists and is correct.
 
+#### Triage through PR comments
+
+Developers can triage Semgrep findings without leaving Azure DevOps by responding to the PR comments authored by Semgrep. To turn this feature on, you must update your source code manager (SCM) connection to use a personal access token that grants **Full Access**. This is because Semgrep requires webhooks for the triage through PR comment feature.
+
+To update your connection between Semgrep and Azure DevOps:
+
+1. Log into Azure DevOps using an account assigned with either the **Owner** or **Project Collection Administrator** role for your organization.
+2. [Create an access token](https://learn.microsoft.com/en-us/azure/devops/organizations/accounts/use-personal-access-tokens-to-authenticate?view=azure-devops&tabs=Windows#create-a-pat). When selecting the **Scopes** for the token, ensure that you select **Full access**.
+3. Return to Semgrep and [<i class="fas fa-external-link fa-xs"></i> sign in](https://semgrep.dev/login).
+4. Go to **<i class="fa-solid fa-gear"></i> Settings > Source code managers**, and find your Azure DevOps connection.
+5. Click **Update access token**.
+6. In the **Update access token** dialog that appears, provide the token you created. Click **Update** to save and proceed.
+7. Toggle the **Incoming webhooks** setting on.
+
+Once you've successfully turned on the triage by PR comment feature, you can change the token you provide to Semgrep to one that's more restrictive. The token scopes required for the more restrictive token are:
+
+- `Code: Status`
+- `Member Entitlement Management: Read`
+- `Project and Team: Read & write`
+- `Pull Request Threads: Read & write`
+
 ### Set up the configuration file
 
 In the Azure Pipelines configuration file, export the `SEMGREP_REPO_URL` and `SEMGREP_REPO_NAME` variables to enable PR comments and ensure that findings and related data are accurately labeled with your project's information. Note that the namespace that's a part of the variable's value follows the format <PL>organization</PL>/<PL>project</PL>:
@@ -92,7 +113,7 @@ steps:
           export SEMGREP_BASELINE_REF='origin/main'
           export AZURE_TOKEN=$(System.AccessToken)
           git fetch origin main:origin/main
-          semgrep ci 
+          semgrep ci
       fi
   - task: Bash@3
     inputs:

docs/semgrep-appsec-platform/bitbucket-cloud-pr-comments.md

@@ -105,14 +105,32 @@ Continue setting up Bitbucket PR comments by finishing the rest of this guide.
 - In addition to finishing the previous steps in your deployment journey, it is recommended to have completed a **full scan** on your **default branch** for the repository in which you want to receive comments.
 - You must have a Bitbucket Cloud **workspace access token** or a **repository access token**.
 
-
 ### Confirm your Semgrep account's connection
 
 Confirm that you have the correct connection and access:
 
 1. In your Semgrep AppSec Platform account, click **Settings > Source code managers**.
 2. Check that an entry for your Bitbucket workspace exists and is correct.
 
+#### Triage through PR comments
+
+Developers can triage Semgrep findings without leaving Bitbucket by responding to the PR comments authored by Semgrep. To turn this feature on, you must update your source code manager (SCM) connection to use a workspace access token or an HTTP access token. This allows you to enable webhooks, which Semgrep requires for the triage through PR comment feature.
+
+To update your connection between Semgrep and Bitbucket:
+
+1. Log in to Bitbucket using an account assigned with the **Product Admin** role.
+2. [Create a workspace access token](https://support.atlassian.com/bitbucket-cloud/docs/workspace-access-tokens/). Ensure that you assign the following scopes to the token:
+   - `webhook (read and write)`
+   - `repository (read and write)`
+   - `pullrequest (read and write)`
+   - `project (admin)`
+   - `account (read)`
+3. Return to Semgrep and [<i class="fas fa-external-link fa-xs"></i> sign in](https://semgrep.dev/login).
+4. Go to **<i class="fa-solid fa-gear"></i> Settings > Source code managers**, and find your Bitbucket connection.
+5. Click **Update access token**.
+6. In the **Update access token** dialog that appears, provide the new token you created. Click **Update** to save and proceed.
+7. Toggle the **Incoming webhooks** setting on.
+
 ### Define the `BITBUCKET_TOKEN` environment variable
 
 To enable PR comments, define the `BITBUCKET_TOKEN` environment variable in your CI configuration file. Its syntax and placement in your CI configuration file depends on your CI provider. For example, in Bitbucket Pipelines, its syntax is the following:

docs/semgrep-appsec-platform/bitbucket-data-center-pr-comments.md

@@ -57,6 +57,21 @@ Confirm that you have the correct connection and access:
 1. In your Semgrep AppSec Platform account, click **Settings > Source code managers**.
 2. Check that an entry for your Bitbucket project exists and is correct.
 
+#### Triage through PR comments
+
+Developers can triage Semgrep findings without leaving Bitbucket by responding to the PR comments authored by Semgrep. To turn this feature on, you must update your source code manager (SCM) connection to use a workspace access token or an HTTP access token. This allows you to enable webhooks, which Semgrep requires for the triage through PR comment feature.
+
+To update your connection between Semgrep and Bitbucket:
+
+1. Ensure that you're using Bitbucket Data Center version 8.8 or later.
+2. Log in to Bitbucket using an account assigned with the **Project Admin** role.
+3. [Create an HTTP access token](https://confluence.atlassian.com/bitbucketserver/http-access-tokens-939515499.html). When setting the token's **Project permissions**, ensure that you select **Project admin**.
+4. Return to Semgrep and [<i class="fas fa-external-link fa-xs"></i> sign in](https://semgrep.dev/login).
+5. Go to **<i class="fa-solid fa-gear"></i> Settings > Source code managers**, and find your Bitbucket connection.
+6. Click **Update access token**.
+7. In the **Update access token** dialog that appears, provide the new token you created. Click **Update** to save and proceed.
+8. Toggle the **Incoming webhooks** setting on.
+
 ### Configure comments for Semgrep Code
 
 <PrCommentsInSast name="Bitbucket" comment_type="PR" />

docs/semgrep-appsec-platform/github-pr-comments.md

@@ -14,7 +14,6 @@ tags:
 import CustomComments from "/src/components/procedure/_customize_pr_mr_comments.mdx"
 import EnableAutofix from "/src/components/procedure/_enable-autofix.mdx"
 import DeploymentJourney from "/src/components/concept/_deployment-journey.mdx"
-import DisplayTaintedDataIntro from "/src/components/concept/_semgrep-code-display-tainted-data.mdx"
 import CommentTriggers from "/src/components/reference/_comment-triggers.mdx"
 import TroubleshootingPrLinks from "/src/components/reference/_troubleshooting-pr-links.mdx"
 import PrCommentsInSast from "/src/components/procedure/_pr-comments-in-sast.mdx"
@@ -110,23 +109,26 @@ You've set up PR comments! Enable optional features provided in the following se
 
 <EnableAutofix />
 
+### Get cross-file findings
+
+To get cross-file (interfile) findings in your organization, follow the steps in [<i class="fa-regular fa-file-lines"></i> Perform cross-file analysis](/semgrep-code/semgrep-pro-engine-intro).
+
 ### Dataflow traces in PR comments
 
-![Screenshot of a GitHub PR comment with dataflow traces](/img/dataflow-traces-pr-comments.png)
-_**Figure**. An inline GitHub pull request comment with dataflow traces._
+With **dataflow traces**, Semgrep Code provides you a visualization of the path of tainted, or untrusted, data in specific findings. This path can help you track the sources and sinks of the tainted data as they propagate through the body of a function or a method. For general information about taint analysis, see [Taint tracking](/writing-rules/data-flow/taint-mode/overview).
+
+When running Semgrep Code from the command line, you can pass in the flag `--dataflow-traces` to use this feature.
 
-<DisplayTaintedDataIntro />
+You can view dataflow traces in the PR comments created by Semgrep Code running in your CI/CD system.
 
 #### View the path of tainted data in PR comments
 
 To enable dataflow traces feature in your CI pipeline, fulfill the following prerequisites:
 
-:::info Prerequisites
 - Set up Semgrep to post GitHub PR comments, as described on this page.
 - To obtain meaningful results of dataflow traces in PR comments, use cross-file analysis while scanning your repositories. To enable cross-file analysis, see [<i class="fa-regular fa-file-lines"></i> Perform cross-file analysis](/semgrep-code/semgrep-pro-engine-intro).
 - Not all Semgrep rules or rulesets make use of taint tracking. Ensure that you have a ruleset that does, such as the **default ruleset**, added in your **[Policies](https://semgrep.dev/orgs/-/policies)**. To add this ruleset, navigate to [https://semgrep.dev/p/default](https://semgrep.dev/p/default), and then click **Add to Policies**.
 - You can add additional rules that use taint tracking from [Semgrep Registry](https://semgrep.dev/explore).
-:::
 
 ### Prevent developers from merging a PR with a reachable vulnerability
 

docs/semgrep-appsec-platform/gitlab-mr-comments.md

@@ -14,7 +14,6 @@ tags:
 
 import CustomComments from "/src/components/procedure/_customize_pr_mr_comments.mdx"
 import EnableAutofix from "/src/components/procedure/_enable-autofix.mdx"
-import DisplayTaintedDataIntro from "/src/components/concept/_semgrep-code-display-tainted-data.mdx"
 import CommentTriggers from "/src/components/reference/_comment-triggers.mdx"
 import TroubleshootingPrLinks from "/src/components/reference/_troubleshooting-pr-links.mdx"
 import PrCommentsInSast from "/src/components/procedure/_pr-comments-in-sast.mdx"
@@ -31,7 +30,7 @@ import CommentsInSupplyChain from "/src/components/concept/_comments-in-supply-c
 
 <DeploymentJourney />
 
-Semgrep can create **merge request (MR) comments** in your GitLab repository. These comments provide a description of the issue detected by Semgrep and may offer possible solutions. These comments are a means for security teams, or any team responsible for creating standards to help their fellow developers write safe and standards-compliant code.
+Semgrep can create **merge request (MR) comments** in your GitLab repository. These comments provide a description of the issue detected by Semgrep and may offer possible solutions. These comments are a means for security teams, or any team responsible for creating standards, to help their fellow developers write safe and standards-compliant code.
 
 Automated comments on GitLab merge requests are displayed as follows:
 
@@ -57,6 +56,28 @@ PR comments are enabled by default for users who have connected their GitLab gro
 1. In your Semgrep AppSec Platform account, click **Settings > Source code managers**.
 2. Check that an entry for your GitLab group exists and is correct.
 
+#### Triage through MR comment
+
+Developers can triage Semgrep findings without leaving GitLab by responding to the MR comments authored by Semgrep. To turn this feature on, you must update your source code manager (SCM) connection to use an access token with an elevated role. This allows you to enable webhooks, which Semgrep requires for the triage through MR comment feature.
+
+To update your connection between Semgrep and GitLab:
+
+1. Ensure that you're using one of the following GitLab plans:
+   - GitLab Premium
+   - GitLab Ultimate
+   - GitLab Self Managed
+2. Log in to GitLab, and create an access token with one of the following roles assigned:
+   - `Maintainer`
+   - `Owner`
+   - `Admin`
+3. Return to Semgrep and [<i class="fas fa-external-link fa-xs"></i> sign in](https://semgrep.dev/login).
+4. Go to **<i class="fa-solid fa-gear"></i> Settings > Source code managers**, and find your GitLab connection.
+5. Click **Update access token**.
+6. In the **Update access token** dialog that appears, provide the new token you created. Click **Update** to save and proceed.
+7. Toggle the **Incoming webhooks** setting on.
+
+Once you've successfully turned on the triage by PR comment feature, you can change the token you provide to Semgrep to one that's more restrictive. You can downgrade the role assigned to the token to `Developer`.
+
 ### Configure comments for Semgrep Code
 
 <PrCommentsInSast name="GitLab" comment_type="MR" />
@@ -85,20 +106,19 @@ You've set up MR comments! Enable optional features provided in the following se
 
 ### Dataflow traces in MR comments
 
-![Screenshot of a GitLab MR comment with dataflow traces](/img/dataflow-traces-mr-comments.png)
-_**Figure**. An inline GitLab pull request comment with dataflow traces._
+With **dataflow traces**, Semgrep Code provides you a visualization of the path of tainted, or untrusted, data in specific findings. This path can help you track the sources and sinks of the tainted data as they propagate through the body of a function or a method. For general information about taint analysis, see [Taint tracking](/writing-rules/data-flow/taint-mode/overview).
+
+When running Semgrep Code from the command line, you can pass in the flag `--dataflow-traces` to use this feature.
 
-<DisplayTaintedDataIntro />
+You can view dataflow traces in the MR comments created by Semgrep Code running in your CI/CD system.
 
 #### View the path of tainted data in MR comments
 
 To enable dataflow traces in your CI pipeline, fulfill the following prerequisites:
 
-:::info Prerequisites
 - Set up Semgrep to post GitLab merge request comments, as described on this page.
 - To obtain meaningful results of dataflow traces in MR comments, use cross-file analysis while scanning your repositories. To enable cross-file analysis, see [<i class="fa-regular fa-file-lines"></i> Perform cross-file analysis](/semgrep-code/semgrep-pro-engine-intro).
 - Not all Semgrep rules or rulesets make use of taint tracking. Ensure that you have a ruleset, such as the **default ruleset** added in your **[Policies](https://semgrep.dev/orgs/-/policies)**. If this ruleset is not added, go to [https://semgrep.dev/p/default](https://semgrep.dev/p/default), and then click **Add to Policy**. You can add rules that use taint tracking from [Semgrep Registry](https://semgrep.dev/explore).
-:::
 
 ### Customize MR comments