Semgrep Priority Findings Report

Generates a print-ready PDF report of priority security findings for a project using the Semgrep API v2 IssuesService.

Priority findings defined

Product	Criteria
Secrets	Open / Reviewing / To-Fix status · Critical or High severity · Validation = CONFIRMED_VALID · Not auto-triaged as false positive
Code (SAST)	Open / Reviewing / To-Fix status · Critical or High severity · High confidence · Not auto-triaged as false positive
Supply Chain (SCA)	Open / Reviewing / To-Fix status · Critical or High severity · Reachability = ALWAYS_REACHABLE or REACHABLE

Report contents

1. Priority Findings Summary — count by scan product × severity
2. Findings by Status and Severity — per-product breakdown (open / reviewing / to-fix)
3. Code Findings by OWASP Category — SAST findings grouped by OWASP Top 10 category
4. Finding Details — full listing sorted by severity (critical first) then scan product, with product-specific detail columns (secret type + validation / OWASP + CWE / CVE + dependency + reachability)

Setup

pip install -r requirements.txt

Dependencies: requests, reportlab (both commonly pre-installed).

Usage

# Set your API token (Web API scope required)
export SEMGREP_APP_TOKEN=your-token-here

# Report for a specific repository
python semgrep_priority_report.py --project my-org/my-repo

# Specify deployment ID explicitly and custom output path
python semgrep_priority_report.py \
  --deployment-id 12345 \
  --project my-org/my-repo \
  --output q2-security-report.pdf

# Report across all repositories in your org (omit --project)
python semgrep_priority_report.py --output full-org-report.pdf

If --deployment-id / SEMGREP_DEPLOYMENT_ID is not provided the script auto-detects it from /api/v1/deployments.

Token setup

1. Log in to semgrep.dev
2. Go to Settings → Tokens
3. Create a token with Web API scope
4. export SEMGREP_APP_TOKEN=<token>