[TEC-605] Update docs to clarify Claude Code auth and enterprise tokens#2683
[TEC-605] Update docs to clarify Claude Code auth and enterprise tokens#2683abhijna wants to merge 8 commits into
Conversation
abhijna
commented
Jun 26, 2026
- A subject matter expert reviews the content
- A technical writer reviews the PR
|
Preview deployment for your docs. Learn more about Mintlify Previews.
|
…e-code-auth-and-enterprise
…-and-enterprise' of github.com:semgrep/semgrep-docs into abhijna/tec-605-update-docs-to-clarify-claude-code-auth-and-enterprise
khorne3
left a comment
There was a problem hiding this comment.
Approving as-is, but consider using tabs (i.e., one for Claude users and one for everyone else) for the info you're adding, so readers don't switch back and forth between the two sets of info. If you opt to add this this time around, I'd be happy to re-review.
|
|
||
| Semgrep Guardian integrates natively with AI coding agents like Claude Code and Cursor to catch security issues before they ship. It bundles the Semgrep MCP server, Hooks, and Skills into a single install, and scans every file an agent generates using Semgrep Code, Supply Chain, and Secrets. When findings are detected, the agent is prompted to regenerate code until Semgrep returns clean results or you choose to dismiss them. | ||
|
|
||
| Claude Code uses Semgrep's hosted remote server and authenticates through OAuth, so developers don't need to install or run the Semgrep CLI. Every other supported IDE runs Semgrep through a locally installed CLI. See [Authentication](#authentication) for details on sign-in and enterprise rollout. |
There was a problem hiding this comment.
I think a better place for this might be as the introductory paragraph of the Authentication section; I don't think it needs to be at the very top and we'd remove a link
|
|
||
| Guardian stores credentials in two local files under `~/.semgrep/`: | ||
|
|
||
| * `settings.yml`: written when you sign in through `semgrep login` or set an API token manually. This is the same file the Semgrep CLI uses. |
There was a problem hiding this comment.
| * `settings.yml`: written when you sign in through `semgrep login` or set an API token manually. This is the same file the Semgrep CLI uses. | |
| * `settings.yml`: written to when you sign in through `semgrep login` or set an API token manually. This is the same file the Semgrep CLI uses. |
I don't know if this is correct, so feel free to ignore if you disagree
| Guardian stores credentials in two local files under `~/.semgrep/`: | ||
|
|
||
| * `settings.yml`: written when you sign in through `semgrep login` or set an API token manually. This is the same file the Semgrep CLI uses. | ||
| * `guardian.yml`: written when you sign in through OAuth in the remote Claude Code plugin. |
There was a problem hiding this comment.
| * `guardian.yml`: written when you sign in through OAuth in the remote Claude Code plugin. | |
| * `guardian.yml`: written to when you sign in through OAuth in the remote Claude Code plugin. |
Same as above
|
|
||
| If you are already logged in through `semgrep login`, Guardian can use the credentials from `settings.yml`. For the remote Claude Code plugin, Guardian checks for OAuth credentials in `guardian.yml` first. If OAuth credentials are present, Guardian uses them instead of any API token in `settings.yml`. | ||
|
|
||
| At startup, Guardian fetches its default authentication method from Semgrep's remote server. OAuth is currently the default for users who are not yet signed in. This setting is global and not configurable per user. |
There was a problem hiding this comment.
I think it makes a bit more sense if you switch this paragraph's location with the paragraph above
|
|
||
| To sign in with the legacy API-token method in Claude Code, ask the Guardian MCP to log in to Semgrep using the legacy method. | ||
|
|
||
| <Note> |