Skip to content

[TEC-605] Update docs to clarify Claude Code auth and enterprise tokens#2683

Open
abhijna wants to merge 8 commits into
mainfrom
abhijna/tec-605-update-docs-to-clarify-claude-code-auth-and-enterprise
Open

[TEC-605] Update docs to clarify Claude Code auth and enterprise tokens#2683
abhijna wants to merge 8 commits into
mainfrom
abhijna/tec-605-update-docs-to-clarify-claude-code-auth-and-enterprise

Conversation

@abhijna

@abhijna abhijna commented Jun 26, 2026

Copy link
Copy Markdown
Collaborator
  • A subject matter expert reviews the content
  • A technical writer reviews the PR

@abhijna abhijna self-assigned this Jun 26, 2026
@mintlify

mintlify Bot commented Jun 26, 2026

Copy link
Copy Markdown
Contributor

Preview deployment for your docs. Learn more about Mintlify Previews.

Project Status Preview Updated (UTC)
semgrep-docs 🟢 Ready View Preview Jun 26, 2026, 10:58 AM

abhijna added 2 commits July 7, 2026 14:41
…-and-enterprise' of github.com:semgrep/semgrep-docs into abhijna/tec-605-update-docs-to-clarify-claude-code-auth-and-enterprise

@khorne3 khorne3 left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approving as-is, but consider using tabs (i.e., one for Claude users and one for everyone else) for the info you're adding, so readers don't switch back and forth between the two sets of info. If you opt to add this this time around, I'd be happy to re-review.

Comment thread docs/guardian.mdx

Semgrep Guardian integrates natively with AI coding agents like Claude Code and Cursor to catch security issues before they ship. It bundles the Semgrep MCP server, Hooks, and Skills into a single install, and scans every file an agent generates using Semgrep Code, Supply Chain, and Secrets. When findings are detected, the agent is prompted to regenerate code until Semgrep returns clean results or you choose to dismiss them.

Claude Code uses Semgrep's hosted remote server and authenticates through OAuth, so developers don't need to install or run the Semgrep CLI. Every other supported IDE runs Semgrep through a locally installed CLI. See [Authentication](#authentication) for details on sign-in and enterprise rollout.

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think a better place for this might be as the introductory paragraph of the Authentication section; I don't think it needs to be at the very top and we'd remove a link

Comment thread docs/guardian.mdx

Guardian stores credentials in two local files under `~/.semgrep/`:

* `settings.yml`: written when you sign in through `semgrep login` or set an API token manually. This is the same file the Semgrep CLI uses.

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
* `settings.yml`: written when you sign in through `semgrep login` or set an API token manually. This is the same file the Semgrep CLI uses.
* `settings.yml`: written to when you sign in through `semgrep login` or set an API token manually. This is the same file the Semgrep CLI uses.

I don't know if this is correct, so feel free to ignore if you disagree

Comment thread docs/guardian.mdx
Guardian stores credentials in two local files under `~/.semgrep/`:

* `settings.yml`: written when you sign in through `semgrep login` or set an API token manually. This is the same file the Semgrep CLI uses.
* `guardian.yml`: written when you sign in through OAuth in the remote Claude Code plugin.

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
* `guardian.yml`: written when you sign in through OAuth in the remote Claude Code plugin.
* `guardian.yml`: written to when you sign in through OAuth in the remote Claude Code plugin.

Same as above

Comment thread docs/guardian.mdx

If you are already logged in through `semgrep login`, Guardian can use the credentials from `settings.yml`. For the remote Claude Code plugin, Guardian checks for OAuth credentials in `guardian.yml` first. If OAuth credentials are present, Guardian uses them instead of any API token in `settings.yml`.

At startup, Guardian fetches its default authentication method from Semgrep's remote server. OAuth is currently the default for users who are not yet signed in. This setting is global and not configurable per user.

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it makes a bit more sense if you switch this paragraph's location with the paragraph above

Comment thread docs/guardian.mdx

To sign in with the legacy API-token method in Claude Code, ask the Guardian MCP to log in to Semgrep using the legacy method.

<Note>

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants