API Client Credentials
In order to integrate with Semgrep, you’ll need a set of API Client credentials. The following steps guide you through the credentials creation process.
- To create your API Client credentials log into your Semgrep organisation and on the left-hand menu click on “Settings” and then select “Tokens”.

- Then click on “API tokens” on the top-left corner of the page. Press “Create new token” in blue.

- In the creation form enter the following details:
- Secretes name – general name for token type.
- Secrets value – copy this and save it to be used to integrate the scanner on the Phoenix platform.
- Token scopes – select Web API
- Name – the display name of the token on Semgrep website.
Copy these credentials to a safe location since you will need them later to configure the integration in Phoenix Security. Please remember that this is the last time that you will have access to the Secret – you can still see the Client ID and Base URL in the API clients list page.

- Click on “Save” to confirm the API client configuration. At this point, you will see a pop-up with the details of the API credentials.

Create a Semgrep Scanner Integration
- On the sidebar menu, navigate to the Scanners tab in the Integrations section.

- Scroll down to SAST or SCA/FOSS scanners and hover your mouse over the Semgrep scanner template. Then click on the template to add the scanner.

- On the next step of the process, enter the credentials created in the first part of this guide.
- Scanner Name: The name of the scanner to appear on Phoenix platform.
- Server URL: The API Root URL for your data centre – if left empty, it will default to https://semgrep.dev
- API key: This should have been saved from earlier labelled as “Secrets value” in the Semgrep Tokens section.

- Click on the ‘Next’ button
- Select whether to fetch vulnerabilities from all repositories accessible to the Access Token, or to choose which ones to include or exclude.

- Then click on “Create scanner” to complete the process.
Unless there are issues with the credentials, the new scanner will appear in your list of integrations (under Integrations > Scanners) and the platform will start to collect asset and vulnerability details from the selected repositories (available through the choose targets to fetch section).
All the scanner’s assets and vulnerabilities will be automatically added to your account’s Default Application, and will be available to start assigning them to user-created Applications as required.