
> ## Documentation Index
> Fetch the complete documentation index at: https://docs.semgrep.dev/llms.txt
> Use this file to discover all available pages before exploring further.

# Quickstart for Semgrep Managed Scans

> This quickstart guide will help you set up Semgrep and scan your first project using Semgrep Managed Scans.

<Note>
  **INFO**

  A **project** is any codebase, repository, or folder within a monorepo that is added to Semgrep for scanning. This includes all the findings, history, and scan metadata for the project.
</Note>

## What are Semgrep Managed Scans?

Semgrep Managed Scans allow you to run Semgrep scans without needing to set up and maintain your own infrastructure. It provides a simple, scalable way to scan your code for security vulnerabilities, code quality issues, and other problems without setting up and maintaining separate configurations for each project.

## Supported source code managers

You must be an existing [Semgrep AppSec Platform](https://semgrep.dev/orgs/-/) user with one of the following plans:

* Bitbucket Cloud Premium plans or Bitbucket Data Center (v8.8 or above for diff-aware scans)
* Hosted GitHub (GitHub.com) and GitHub Enterprise Server plans
* GitLab Cloud and GitLab self-managed plans and a Premium or Ultimate subscription
* Azure DevOps Cloud repositories

## Add projects to Semgrep Managed Scans

<Tabs>
  <Tab title="Azure DevOps">
    ### Prerequisites

    You must have admin access to your Azure DevOps organization.

    Read access is granted through an access token you generate on Azure DevOps. You can provide this token by [adding Azure DevOps as a source code manager](/deployment/connect-scm#connect-to-cloud-hosted-orgs).

    Semgrep recommends setting up and configuring Semgrep with an Azure DevOps service account, not a personal account. Regardless of whether you use a personal or service account, the account must be assigned the **Owner** or **Project Collection Administrator** role for the organization. During setup and configuration, you must provide a personal access token generated by this account. This token must be authorized with **Full access**. Once you have Semgrep Managed Scans fully configured, you can update the token provided to Semgrep to a more restrictive one. The scopes you must assign to the token include:

    * `Code: Read`
    * `Code: Status`
    * `Member Entitlement Management: Read`
    * `Project and Team: Read & write`
    * `Pull Request Threads: Read & write`

    ### Add a project

    <Steps>
      <Step>
        Sign in to [Semgrep AppSec Platform](https://semgrep.dev/login)
      </Step>

      <Step>
        Navigate to **Projects**, and click **Scan new project > Semgrep Managed Scan**.
      </Step>

      <Step>
        In the **Enable Managed Scans for repos** page, select the repositories you want to add to Semgrep Managed Scans.
      </Step>

      <Step>
        Click **Enable Managed Scans**. The **Enable Managed Scans** dialog appears. By default, Semgrep runs both full and diff-aware scans.
      </Step>

      <Step>
        Click **Enable**. You are taken to the **Projects** page as your scans begin.
      </Step>
    </Steps>
  </Tab>

  <Tab title="Bitbucket">
    ### Prerequisites

    You must have admin access to your Bitbucket organization.

    #### Bitbucket Cloud

    * Read access is granted through a [workspace access token](https://support.atlassian.com/bitbucket-cloud/workspace-access-tokens/) you generate on Bitbucket. You can provide this token by [adding Bitbucket as a source code manager](/deployment/connect-scm#connect-to-cloud-hosted-orgs).
    * The user generating the workspace token must be a **Product Admin** for the workspace. The scopes you must assign to the token include:
      * `webhook (read and write)`
      * `repository (read and write)`
      * `pullrequest (read and write)`
      * `project (admin)`
      * `account (read)`

    #### Bitbucket Data Center

    * V8.8 or above for diff-aware scans. Additionally, project-level webhooks are required to support diff-aware scans.
    * Read access is granted through an [HTTP access token](https://confluence.atlassian.com/bitbucketserver/http-access-tokens-939515499.html) you generate on Bitbucket. You can provide this token by [adding Bitbucket as a source code manager](/deployment/connect-scm#connect-to-on-premise-orgs-and-projects).
    * The user generating the token must be a **Project Admin** for the project. See [Bitbucket Data Center prerequisites](/deployment/managed-scanning/bitbucket#bitbucket-data-center).

    ### Add a project

    <Steps>
      <Step>
        Sign in to [Semgrep AppSec Platform](https://semgrep.dev/login)
      </Step>

      <Step>
        Navigate to **Projects**, and click **Scan new project > Semgrep Managed Scan**.
      </Step>

      <Step>
        In the **Enable Managed Scans for repos** page, select the repositories you want to add to Semgrep Managed Scans.
      </Step>

      <Step>
        Click **Enable Managed Scans**. The **Enable Managed Scans** dialog appears. By default, Semgrep runs both full and diff-aware scans.
      </Step>

      <Step>
        Click **Enable**. You are taken to the **Projects** page as your scans begin.
      </Step>
    </Steps>
  </Tab>

  <Tab title="GitHub">
    ### Prerequisites

    You must have admin access to your GitHub organization.

    To enable and use this feature, you must grant Semgrep **Read access** to your code. This is done by installing a private GitHub app that you create and register yourself. The steps to do so are provided in the subsequent section of this document. See [Managed Scans > Security](/deployment/managed-scanning/overview#security) for more information on how Semgrep handles your code once you've provided read access.

    ### Add a project

    <Steps>
      <Step>
        Go to [Semgrep AppSec Platform](https://semgrep.dev/login), and sign up by clicking on **Sign in with GitHub**. Follow the on-screen prompts to [grant Semgrep the necessary permissions](/deployment/prepare/scm-permissions#github-app-permissions) and proceed.
      </Step>

      <Step>
        Provide the **Organization display name** you'd like to use, then click **Create new organization**.
      </Step>

      <Step>
        When asked **Where do you want to scan?** click **GitHub**.
      </Step>

      <Step>
        Follow the steps in the **Connect GitHub to Semgrep** page. These steps install a public GitHub app to handle PR comments and a private GitHub app to handle code access. You can select which repositories these apps have access to, and remove or revoke their permissions at any time.
      </Step>

      <Step>
        Click **Set up projects**. You are taken to the **Enable Managed Scans for repos** page.
      </Step>

      <Step>
        Select all the repositories you want to add to Semgrep Managed Scans for scanning.
      </Step>

      <Step>
        Click **Enable Managed Scans**. You are taken to the **Projects** page as your scans begin.
      </Step>
    </Steps>
  </Tab>

  <Tab title="GitLab">
    ### Prerequisites

    Semgrep Managed Scanning (SMS) requires one of the following plans:

    * GitLab Premium
    * GitLab Ultimate
    * GitLab Self Managed

    You must provide a GitLab group access token or personal access token to Semgrep. The token must have the `api` scope assigned to it.

    During SMS onboarding, the group or user to which the token is assigned must have one of the following roles:

    * `Maintainer`
    * `Owner`
    * `Admin`

    This is because managed scans of GitLab repositories require the enablement of webhooks to facilitate diff-aware scans and the creation of pull request comments by Semgrep. The webhooks are enabled by default when you set up Managed Scans and add GitLab as a source code manager. Once onboarding is complete, you can downgrade the role assigned to the token to `Developer`.

    ### Add a project

    <Steps>
      <Step>
        Navigate to [Semgrep AppSec Platform](https://semgrep.dev/login), and sign up by clicking on **Sign in with GitLab**. Follow the on-screen prompts to proceed.
      </Step>

      <Step>
        When prompted, click **Scan new project > Semgrep Managed Scan**.
      </Step>

      <Step>
        In the **Enable Managed Scans for repos** page, select the repositories you want to add to Semgrep Managed Scans.
      </Step>

      <Step>
        Click **Enable Managed Scans**. The **Enable Managed Scans** dialog appears. By default, Semgrep runs both full and diff-aware scans.
      </Step>

      <Step>
        Click **Enable**. You are taken to the **Projects** page as your scans begin.
      </Step>
    </Steps>
  </Tab>
</Tabs>

Semgrep now performs a full scan on all the projects that you added in batches.

You can [view your projects in Semgrep AppSec Platform](https://semgrep.dev/orgs/-/projects/scanning). All projects with a Managed Scan configuration are tagged with `managed-scan`, regardless of whether they are actively being scanned by Semgrep Managed Scans.

## Next steps

Once a scan has finished, you can view your findings on the following Semgrep AppSec Platform pages:

* [<Icon icon="external-link" iconType="solid" />  Code](https://semgrep.dev/orgs/-/findings?tab=open\&primary=true) for SAST findings
* [<Icon icon="external-link" iconType="solid" /> Secrets](https://semgrep.dev/orgs/-/secrets?tab=open\&validation_state=confirmed_valid,validation_error,no_validator) for secrets findings
* [<Icon icon="external-link" iconType="solid" /> Supply Chain](https://semgrep.dev/orgs/-/supply-chain/vulnerabilities?primary=true\&tab=open) for SCA findings
* Add [AI-powered detection](/deployment/add-ai-to-scans) to your Semgrep Code scans

See [Semgrep Managed Scans](/deployment/managed-scanning/overview) to learn more about how Semgrep manages your scans.
