add/update instructions for Secrets PR comments

docs/semgrep-appsec-platform/azure-pr-comments.md

@@ -13,6 +13,8 @@ tags:
 import DeploymentJourney from "/src/components/concept/_deployment-journey.mdx"
 import CommentTriggers from "/src/components/reference/_comment-triggers.mdx"
 import PrCommentsInSast from "/src/components/procedure/_pr-comments-in-sast.mdx"
+import PrCommentsInSecrets from "/src/components/procedure/_pr-comments-in-secrets.mdx"
+import DisableComments from "/src/components/procedure/_disable_ssc_pr_mr_comments.mdx"
 import TroubleshootingPrLinks from "/src/components/reference/_troubleshooting-pr-links.mdx"
 import NextAfterComments from "/src/components/procedure/_next-after-comments.mdx"
 import CommentsInSupplyChain from "/src/components/concept/_comments-in-supply-chain.md"
@@ -101,11 +103,14 @@ steps:
 ```
 </details>
 
+### Configure comments for Semgrep Secrets
+
+<PrCommentsInSecrets name="Azure" comment_type="PR" />
+
 ### Configure comments for Semgrep Code
 
 <PrCommentsInSast name="Azure" comment_type="PR" />
 
-
 ### Configure comments for Semgrep Supply Chain
 
 <CommentsInSupplyChain />

docs/semgrep-appsec-platform/bitbucket-cloud-pr-comments.md

@@ -19,6 +19,8 @@ import NextAfterComments from "/src/components/procedure/_next-after-comments.md
 import CommentTriggers from "/src/components/reference/_comment-triggers.mdx"
 import ReceiveCommentsScm from "/src/components/procedure/_receive-comments-scm.mdx"
 import PrCommentsInSast from "/src/components/procedure/_pr-comments-in-sast.mdx"
+import PrCommentsInSecrets from "/src/components/procedure/_pr-comments-in-secrets.mdx"
+import DisableComments from "/src/components/procedure/_disable_ssc_pr_mr_comments.mdx"
 import CommentsInSupplyChain from "/src/components/concept/_comments-in-supply-chain.md"
 
 <!-- vale on -->
@@ -185,6 +187,10 @@ pipelines:
 
 <PrCommentsInSast name="Bitbucket" comment_type="PR" />
 
+### Configure comments for Semgrep Secrets
+
+<PrCommentsInSecrets name="Bitbucket" comment_type="PR" />
+
 ### Configure comments for Semgrep Supply Chain
 
 <CommentsInSupplyChain />

docs/semgrep-appsec-platform/bitbucket-data-center-pr-comments.md

@@ -19,6 +19,8 @@ import NextAfterComments from "/src/components/procedure/_next-after-comments.md
 import CommentTriggers from "/src/components/reference/_comment-triggers.mdx"
 import ReceiveCommentsScm from "/src/components/procedure/_receive-comments-scm.mdx"
 import PrCommentsInSast from "/src/components/procedure/_pr-comments-in-sast.mdx"
+import PrCommentsInSecrets from "/src/components/procedure/_pr-comments-in-secrets.mdx"
+import DisableComments from "/src/components/procedure/_disable_ssc_pr_mr_comments.mdx"
 import CommentsInSupplyChain from "/src/components/concept/_comments-in-supply-chain.md"
 
 <!-- vale on -->
@@ -59,10 +61,18 @@ Confirm that you have the correct connection and access:
 
 <PrCommentsInSast name="Bitbucket" comment_type="PR" />
 
+### Configure comments for Semgrep Secrets
+
+<PrCommentsInSecrets name="Bitbucket" comment_type="PR" />
+
 ### Configure comments for Semgrep Supply Chain
 
 <CommentsInSupplyChain />
 
+## Disable PR comments for Supply Chain findings
+
+<DisableComments />
+
 ## Next steps
 
 <NextAfterComments />

docs/semgrep-appsec-platform/github-pr-comments.md

@@ -17,6 +17,7 @@ import DisplayTaintedDataIntro from "/src/components/concept/_semgrep-code-displ
 import CommentTriggers from "/src/components/reference/_comment-triggers.mdx"
 import TroubleshootingPrLinks from "/src/components/reference/_troubleshooting-pr-links.mdx"
 import PrCommentsInSast from "/src/components/procedure/_pr-comments-in-sast.mdx"
+import PrCommentsInSecrets from "/src/components/procedure/_pr-comments-in-secrets.mdx"
 import DefineConnectionVariables from "/src/components/reference/_define-connection-variables.mdx"
 import ReceiveCommentsScm from "/src/components/procedure/_receive-comments-scm.mdx"
 import NextAfterComments from "/src/components/procedure/_next-after-comments.mdx"
@@ -83,6 +84,10 @@ For GitHub Actions users, no further steps need to be undertaken. Continue setti
 
 If you are using **GitHub Actions** to run Semgrep, no extra changes are needed to receive PR comments.
 
+### Configure comments for Semgrep Secrets
+
+<PrCommentsInSecrets name="GitHub" comment_type="PR" />
+
 ### Configure comments for Semgrep Supply Chain
 
 <CommentsInSupplyChain />

docs/semgrep-appsec-platform/gitlab-mr-comments.md

@@ -17,6 +17,7 @@ import DisplayTaintedDataIntro from "/src/components/concept/_semgrep-code-displ
 import CommentTriggers from "/src/components/reference/_comment-triggers.mdx"
 import TroubleshootingPrLinks from "/src/components/reference/_troubleshooting-pr-links.mdx"
 import PrCommentsInSast from "/src/components/procedure/_pr-comments-in-sast.mdx"
+import PrCommentsInSecrets from "/src/components/procedure/_pr-comments-in-secrets.mdx"
 import DefineConnectionVariables from "/src/components/reference/_define-connection-variables.mdx"
 import DeploymentJourney from "/src/components/concept/_deployment-journey.mdx"
 import ReceiveCommentsScm from "/src/components/procedure/_receive-comments-scm.mdx"
@@ -121,6 +122,10 @@ If you're using Semgrep with multiple GitLab groups, ensure that you've complete
 
 <PrCommentsInSast name="GitLab" comment_type="MR" />
 
+### Configure comments for Semgrep Secrets
+
+<PrCommentsInSecrets name="GitLab" comment_type="MR" />
+
 ### Configure comments for Semgrep Supply Chain
 
 <CommentsInSupplyChain />

src/components/procedure/_pr-comments-in-sast.mdx

@@ -7,10 +7,6 @@
     developers receive.
 - Ensure that only rules that meet your criteria, such as high severity or high confidence rules, produce comments visible to developers, reducing noise.
 
-:::info
-The following instructions are also applicable when enabling PR comments for Semgrep Secrets.
-:::
-
 #### Set rules to Comment or Block mode
 
 The following instructions let you customize what findings or security issues your developers see as comments in their PRs:

src/components/procedure/_pr-comments-in-secrets.mdx

@@ -0,0 +1,46 @@
+<span>
+  In addition to setting up the connection between Semgrep and {props.name}, you
+  must assign rules to Comment or Block mode. This customization enables you to:
+</span>
+
+- Manage the amount of {props.comment_type} comments your
+    developers receive.
+- Ensure that only rules that meet your criteria, such as high severity or high confidence rules, and result in findings involving valid secrets produce comments visible to developers, reducing noise.
+
+#### Set rules to Comment or Block mode
+
+The following instructions let you customize what findings or security issues your developers see as comments in their PRs:
+
+1. In Semgrep AppSec Platform, go to **Rules > Policies > Secrets**.
+1. Under **Modes <i class="fa-solid fa-gear"></i>**, you can see if you have existing rules in either Comment or Block mode. You can also use the filters to find rules you want to set to Comment or Block.
+1. Click the **<i class="fa-solid fa-square-check"></i> checkbox** of the rules you want to set. You can use <kbd>Ctrl + Click</kbd> to select rules in bulk.
+1. Click **Change modes**.
+1. Click either **Block** or **Comment**.
+
+<span>
+  You have successfully configured {props.comment_type} comments for Semgrep
+  Secrets.
+</span>
+
+#### Validation state policies
+
+Validation state policies allow you to define how Semgrep handles the following issues:
+
+- **Invalid findings**: the secret has been revoked, was never functional, or used for a custom or private endpoint that Semgrep can't communicate with. For example, a Semgrep rule that tests GitHub credentials may return an invalid finding if Semgrep can't communicate with an on-premise deployment.
+- **Validation errors**: Semgrep was unable to reach the secrets provider to test the validity of the credential, or Semgrep received an unexpected response from the API
+
+To edit the policy for invalid secrets and errors:
+
+1. In Semgrep AppSec Platform, go to **Rules > Policies > Secrets**.
+1. Click **Validation State Policies**.
+1. Choose the mode, either Comment or Block, that you want Semgrep to set for **Invalid findings**.
+1. Choose the mode, either Comment or Block, that you want Semgrep to set for **Validation errors**.
+
+:::tip
+
+<span>
+  Rules in <strong>Block mode</strong> fail the CI job that runs on the{" "}
+  {props.comment_type}. Depending on your workflow, this may prevent your{" "}
+  {props.comment_type} from merging.
+</span>
+:::

src/components/reference/_comment-triggers.mdx

@@ -2,7 +2,7 @@
 | --  | -- |  -- | --- |
 | Static application security testing (SAST) | Semgrep Code | A comment appears when a finding is generated by a rule in **Comment or Block mode**. This means you can fully customize what comments your developers receive. | Complete the steps in the following sections:<ol><li>[Confirm your Semgrep account's connection and access to your source code manager](#confirm-your-semgrep-accounts-connection).</li><li>[Configure comments for Semgrep Code](#configure-comments-for-semgrep-code).</li></ol> |
 | Software composition analysis (SCA) | Semgrep Supply Chain (SSC) | A comment appears based on the conditions you explicitly set in a [Supply Chain policy](/semgrep-supply-chain/policies) or when Semgrep detects a [license violation](/semgrep-supply-chain/license-compliance). | To receive Supply Chain comments, complete the steps in [Confirm account connection and access](#confirm-your-semgrep-accounts-connection) and [set up a policy](/semgrep-supply-chain/policies). <br /><br />To receive license violation comments, [enable dependency search](/semgrep-supply-chain/dependency-search#using-dependency-search).  |
-| Secrets | Semgrep Secrets | A comment appears on validated secrets. | This product is in beta.<br /> Contact [<i class="fa-regular fa-envelope"></i> [email protected]](mailto:support@semgrep.com) to enable comments.  |
+| Secrets | Semgrep Secrets | A comment appears when a finding is generated by a rule in **Comment or Block mode**. A comment also appears for invalid findings and validation errors if these conditions are set to **Comment or Block mode**. | Complete the steps in the following sections:<ol><li>[Confirm your Semgrep account's connection and access to your source code manager](#confirm-your-semgrep-accounts-connection).</li><li>[Configure comments for Semgrep Secrets](#configure-comments-for-semgrep-secrets).</li></ol>  |
 
 Comments from Supply Chain scans include the following information: