June 2025
ยท 6 min read
๐ Semgrep AppSec Platformโ
Addedโ
- You can now customize PR and MR comments to provide additional context to the comments generated by Semgrep.
- Rules validation is now parallelized to improve performance when Semgrep scans use many rule files.
- Semgrep now respects
ALL_PROXY,HTTP_PROXY,HTTPS_PROXY,NO_PROXY,PROXY_USERNAME, andPROXY_PASSWORDfor all networking, including networking done through the OCaml components. Additionally, the environment variableOCAML_EXTRA_CA_CERTSnow allows additional CA certificates to be used for network operations done by OCaml components.
Changedโ
- The Sign up and Log in page has been redesigned.
- The Finding details page has been redesigned and unified across all Semgrep products.
- The Settings > Deployment page in Semgrep AppSec Platform has been removed and reorganized into a General page that features sub-tabs for individual uses and Semgrep products.
- Search and pagination on the Settings > Source code managers page have been improved, resulting in better load times and smoother navigation.
- Restored links to the same finding on other branches on the finding's details pages.
- Jira:
- Semgrep AppSec Platform now displays information about Jira ticket creation in the Activity section of the Finding details page. You can check if a ticket was successfully created or if an error occurred during ticket creation.
- Semgrep organization members can now create Jira tickets for findings.
Fixedโ
- Fixed an issue where
semgrep cilogs in GitLab return incorrect URLs with the wrong&ref=...argument. - Fixed an issue where Semgrep Managed Scan was enabled on projects tagged as
local_scan. - Fixed an issue where scan logs show that pull request or merge request comments were successfully posted when the comments were not posted.
- Fixed an issue where Semgrep AppSec Platform did not account for community seats when calculating license usage.
nosemgrepignore comments no longer require exactly one leading space, allowing for more commenting styles.- The Semgrep findings returned by the Semgrep Language Server (LSP) are now sorted correctly based on their location within files. This benefits the Semgrep IDE extensions, including VSCode and IntelliJ.
- Various UI fixes.
๐ป Semgrep Codeโ
Addedโ
- Added type inference for
mod, floor division, andpow.
Changedโ
- JSON output now includes basic profiling data.
Fixedโ
- Fixed an issue where taint rules that use the experimental feature labels and specify sinks with a
requires:of the formnot Acould produce findings with an empty list of traces, potentially causing Semgrep to crash. - Fixed an issue where the empty Python fstring
f""wasn't matched by the pattern.... - Fixed an issue where a multiplication expression of
intisn't considered anint. - Fixed an issue where
2 * groupsisn't considered anintwhengroupsis anint. - Go: fixed an issue where
casestatements with ellipses didn't match patterns correctly. - JavaScript: fixed an issue where JavaScript autofix code suggestions break syntax for
ifstatements by consuming parentheses. - Python: fixed a regression that could cause naming to take a disproportionate amount of time, significantly slowing down scans.
- TypeScript: fixed an issue with stack overflow and out-of-memory issues when parsing TypeScript configurations.
โ๏ธ Semgrep Supply Chainโ
Addedโ
- Support for PHP reachability is now in public beta, which means that Semgrep offers 98% coverage for Critical severity issues, plus some coverage for High severity issues.
- You can now customize Supply Chain policies using CVEs as a filtering condition.
- Policies now accept custom CVE options to allow the selection of CVEs for which there are no current findings associated.
- Scan logs now report dependency resolution errors that result from local builds by default.
- Added the reporting of subproject dependency resolution to JSON output.
- C#:
- Dependency Paths for C# projects using NuGet are now in public beta.
- Dependency parsing now handles dependencies with
Projecttransitivities. - Semgrep can scan NuGet codebases without the need for a lockfile. This feature is in public beta.
Changedโ
- The filter for malicious dependency findings are now included in the existing Reachability filter.
Fixedโ
- Fixed an issue where missing version constraints in
yarn.lockdescriptors caused parsing errors. - Fixed an issue where packages were misidentified by adding support for npm aliasing in package-lock.json.
- Fixed an issue where Jira tickets weren't created for some Supply Chain findings.
- Fixed an issue where archived repositories were accidentally scanned by Semgrep Managed Scans for Supply Chain findings.
- Semgrep no longer parses
build.gradle.ktsfiles asbuild.gradle.
๐ค Semgrep Assistantโ
Addedโ
- Memories can now be scoped to a rule's vulnerability class, which are the same groupings that exist on the policies page.
- Organization members can suggest memories for approval by admins.
- Semgrep now sends out emails with information about suggested memories, how many findings each memory affects, and the links to review the memories in Semgrep AppSec Platform.
Changedโ
- Organization members can now see memories in addition to admins.
- Active memories now display the name of the person who authored the triage note that Assistant used to create the memory.
- Memories created by Semgrep are now labeled as created by Assistant.
Fixedโ
- Fixed an issue where changes made to the Allowed AI providers dialog weren't saved.
๐ Semgrep Secretsโ
Addedโ
- You can now create memories for generic secrets, allowing you to create and apply custom rules for secret detection through Assistant.
Fixedโ
- Fixed an issue where files excluded in
.semgrepignorewere also applied to Secrets scans. Semgrep now scans files that have been excluded from Code and Supply Chain scans for leaked secrets.
๐ Documentation and knowledge baseโ
Addedโ
- Enable source code manager code access
- Run a successful proof-of-value (POV) trial with Semgrep
- Knowledge base: Search, filter, and sort findings in Semgrep AppSec Platform
Fixedโ
Minor corrections and typo fixes.