🌐 Semgrep AppSec Platform​

Added​

• CLI:
  • Added the --x-mem-policy flag to configure the OCaml garbage collector. Options are aggressive (the default), which uses less memory at the cost of longer scan times, or balanced, which compromises heap memory reclaiming while limiting how often the garbage collector runs. This flag is available only for Pro users.
• MCP:
  • Hooks for both Claude Code and Cursor now pull custom rules from the Semgrep Registry.
  • Enabled DNS rebinding protection for the MCP server.

Changed​

• Improved the accuracy of taint tracking through assignments, which helps reduce the number of false positive findings.
• The Network Broker configuration screen now allows only one public key, preventing users from adding multiple keys, which Semgrep does not support.
• The CWE tooltip message on a finding's Details page now displays the CWE name associated with the finding instead of a generic CWE name.
• Improved the performance of Findings page filters.
• Minor cosmetic changes to the Findings page.
• CLI:
  • Bumped glom to version 23.3.
  • The CLI waits longer before retrying a request if it receives a HTTP 429 or 5xx response from Semgrep.
  • Minor cosmetic changes to the Scan Summary section of the Semgrep CLI response.
  • Blocking findings are now labelled in the CLI response.

Fixed​

• Fixed an issue where claiming a license caused Semgrep AppSec Platform to crash.
• Fixed an issue where the Projects page didn't display findings counts if the previous scan failed.
• Fixed an issue where the Semgrep Editor crashed when viewing metadata for select rules.
• Fixed an issue where Semgrep returned more false negatives when the maximum number of fields to track per object was reached during scans.
• Fixed an issue that allowed authors of pull requests or merge requests to update project tags by changing the .semgrepconfig.yml file. Project tags can now be updated only on full scans.
• CLI: fixed an issue where Semgrep printed info log lines when --trace was passed, but not --debug.

💻 Semgrep Code​

Added​

• Added experimental support for the OpenFGA authorization language.
• Added support for case-insensitive string comparisons using lower() and upper():

  - metavariable-comparison:
      metavariable: $VALUE
      comparison: upper(str($VALUE)) == "SEMGREP"
  

• Scala: added taint flow support for for-yield:

  def test(x: X) = {
    for {
      y <- foo(x)
      z <- bar(y)
    } yield {
      z
    }
  }
  

Fixed​

• Scala: fixed a parsing issue where subsequent calls in an implicit block weren't considered to be in the same scope:

  def f (a: t) =
    foo()
    bar()
  

⛓️ Semgrep Supply Chain​

Added​

• You can now pass environmental variables to third-party package managers using SEMGREP_LOCAL_BUILD_ENV, which accepts a JSON object, as part of the dependency resolution process invoked by --allow-local-builds.

Changed​

• The CVE links on the Supply Chain Findings page now link to specific Advisories pages instead of a general NIST definition of the security issue.

Fixed​

• Fixed an issue that prevented the Enable Supply Chain toggle from working.
• Fixed an issue that prevented the Dependency filter on the Supply Chain Findings page from returning all results.

🤖 Semgrep Assistant​

Changed​

• The feedback dialog for auto-triage now allows you to provide comments in addition to selecting whether you agree or disagree with the recommendation.

Fixed​

• Added the following missing values to the Findings pages' Assistant file risk level filter: High risk > cryptography, Low risk > observability, and Low risk > sample code.

🔐 Semgrep Secrets​

Fixed​

• Fixed an issue where custom secrets couldn't be added to a policy if multiple policies are active.

📝 Documentation and knowledge base​

Added​

• Added information:
  • Managing and using Semgrep access tokens
  • Re-running Semgrep Managed Scans

Changed​

• Major updates to Usage and billing.
• Reorganized the Supported languages information.

🔧 OSS Engine​

• The following versions of the OSS Engine were released in February 2026:
  • 1.153.0
  • 1.152.0
  • 1.151.0

🌐 Semgrep AppSec Platform​

Added​

• You must now authenticate through OAuth when connecting to the MCP server using Streamable HTTP.
• CLI:
  • Improved the performance of scan planning by reducing the cost of re-hashing Target objects. Semgrep's performance improvement on scans of large projects is proportional to the number of files in the project.
  • In --debug mode, Semgrep warns you if you attempt to run a parallel scan with a larger value for -j/--jobs than the number of CPUs Semgrep has detected as available for use.
  • Semgrep now provides a suggested starting value for -j/--jobs.
  • semgrep login now supports the use of --force, which ignores existing tokens and starts a new login session.

Changed​

• Semgrep AppSec Platform's Findings page displays more descriptive rule group names, and the Finding Details page displays more descriptive rule names. For example, sequelize-express is now SQL injection in Sequelize with Express.
• The MCP server no longer supports SSE transport.
• CLI:
  • Semgrep's CLI tool now uses uv instead of pipenv for package management.
  • semgrep ci no longer applies autofixes to local projects, even if the Suggest autofixes toggle in Semgrep AppSec Platform is turned on.

Fixed​

• Fixed an issue where time filters didn't return the correct findings.
• Fixed an issue where Semgrep didn't consistently select the same findings across scans when deduplicating findings. Previously, the selected findings were always equivalent, but they weren't guaranteed to be identical. For example, the findings' metavariable bindings could differ. Depending on the rule used and the target code, this behavior could cause the fingerprints of findings to change from one scan to another.
• Fixed an issue where email addresses used for SSO were case sensitive.
• Fixed an issue where Semgrep AppSec Platform displayed non-shared GitLab projects for the group.

💻 Semgrep Code​

Fixed​

• Improved the handling of parsing errors during interfile analysis. These errors are now reported to you and included in the JSON output.
• Fix an issue resulting in bad file descriptor errors when performing Git operations on Windows machines.
• Java: improved virtual method resolution.
• Python: Dataflow analysis now accounts for for/else and while/else loops.
• Scala: improved virtual method resolution.

⛓️ Semgrep Supply Chain​

Added​

• Semgrep’s reachability analysis now covers all critical and high severity CVEs from supported sources starting in 2017 across all supported languages.
• Diff-aware scans are now faster because Git-untracked files no longer slow down subproject discovery.
• Added support for Gradle lockfiles of the form gradle*.lockfile. Previously, only files with the exact name gradle.lockfile were supported.

Changed​

• Dependency search now allows you to search for one or more packages using:
  • The name of the package
  • An exact version number
  • A range of version numbers

Fixed​

• Improved the performance of Supply Chain scans by reducing pre-computation when printing scan status information. Note that less information is displayed if there are no rules to run.
• Fixed an issue with version range matching for npm packages where the version number contained a pre-release identifier, such as -alpha in 1.2.3-alpha.

🤖 Semgrep Assistant​

Added​

• Members can now create suggested memories for Assistant when triaging findings in Semgrep AppSec Platform. Previously, only admins could do so.

Fixed​

• Fixed an issue where code suggestions that involved removing code didn't render in the diff correctly.

📝 Documentation and knowledge base​

• Minor updates and fixes.

🔧 OSS Engine​

• The following versions of the OSS Engine were released in January 2026:
  • v1.147.0
  • v1.148.0
  • v1.149.0
  • v1.150.0

🌐 Semgrep AppSec Platform​

Added​

• Added a new Priority tab on Findings page to display high-priority findings. Each product has default priority categories, and Semgrep admins can customize the Priority tab to control which findings appear. Admins can save Priority tab filters for all users.
• Added a new Provisionally ignored finding status.
• Commit author emails now appear in the finding's Details when available.

Changed​

• The Findings page now has improved navigation and more intuitive links. The code path now opens the finding's Details page, and an in-product tour introduces the new layout.
• On the Projects page, project names now link directly to project details, making it easier to access scan information from the project list.
• On the finding's Details page, when no ticketing integration is configured, the Fix drop-down now includes a prominent link to the relevant Integration settings page.
• The Settings page has been reorganized to highlight commonly used features and make it easier to find what you need.
• The triage-by-comment setting is now available in the Settings > Global section, making it easier to manage across products.
• When SSO is enabled, the Semgrep AppSec Platform now shows warnings for social authentication in Settings > Access > Login methods and highlights users using social auth in Settings > Users, helping admins identify and reduce security risks.
• Newly created users who sign in with SSO are now added only to the default deployment, reducing unintended access in multi-deployment organizations.
• Activating or deactivating SSO and other authentication providers now shows more user-friendly success and partial-failure messages.
• The Today section on the Reporting page now uses the same priority definitions as the Findings page, including any custom priority settings.
• The Guardrails chart now shows provisionally ignored findings instead of the previous Filtered by Assistant field, providing a more complete view of findings excluded from the default list of Open findings.
• User search on the Manage users page has been simplified. You can now search by email, username, or ID using a single search field, without selecting the search type first.

Fixed​

• Fixed incorrect tab selection during navigation so the correct tab is now highlighted when viewing pages under the project path.
• Fixed IdP-initiated SAML login issues. You can now sign in successfully using IdP-initiated SAML.
• Fixed Assistant triage actions for read-only users. Read-only users can no longer record agreement with Assistant analysis, and the activity timeline now reflects only actions taken by users with triage permissions.
• Fixed an issue where the Connect button remains disabled when adding a new GitHub Enterprise connection.
• Fixed an issue where the Save and Reset buttons appear only when you’ve modified filters or have saved views to manage.
• Fixed CNAPP visibility for non-admin users. Users with access to findings can now see CNAPP integration status, ensuring CNAPP filters and descriptions display correctly.
• Fixed an issue where the Users page did not reset when changing the search query.
• Fixed an issue where the Teams search bar was unusable when adding users or projects.
• Fixed an issue preventing custom OpenAI API keys from being saved.
• When a scan is running, the Analyze button on the finding's Details page is now disabled and displays an explanatory tooltip on why this is the case.
• Fixed several issues with Findings page filters:
  • The Save and Reset buttons only appear when you've modified the filters or have saved views to manage.
  • Changes to time-based filters persist.
  • Team filters now appear only when RBAC is enabled, ensuring filters reflect your deployment’s access controls.

💻 Semgrep Code​

Changed​

• Git Large File Storage (LFS) objects are excluded from baseline scans. Files tracked with Git LFS are no longer scanned during baseline runs, avoiding large or binary files that are not supported by Semgrep.

Fixed​

• Fixed an issue where findings in files that time out or fail to scan were set to a status of Fixed, ensuring scan results more accurately reflect what was actually analyzed.
• Fixed validation failures for valid rules. Rules that include emoji in the message field now validate correctly.
• Fixed an interfile scan timeout regression, restoring the previous default job behavior to prevent unexpected timeout changes.
• Fixed an issue with duplicate scans triggered by GitHub pull request updates. Semgrep now processes pull request update events only once, preventing duplicate scans for the same change.

⛓️ Semgrep Supply Chain​

Added​

• The Advisories page now shows impacted projects and branches. You can now click on an advisory to see affected projects and branches and use quick links to go directly to relevant findings.
• Added new High severity reachability rules to improve vulnerability detection for Java, Kotlin, and Scala projects that use Maven.
• Added symbol analysis support for Supply Chain–only scans when calling semgrep ci.

Changed​

• The Dependencies page's License filter now supports the section of multiple license types, so you can view dependencies that are Allowed, Blocked, and Commented at the same time.

Fixed​

• Fixed project filtering on the Dependencies page such that filtering by multiple projects now works as expected, and the search field clears correctly after you select a project.
• Fixed symbol analysis to analyze only relevant language files per ecosystem during Supply Chain scans.
• Fixed CVE filter chip labeling for shared rules such that filter chips now show all applicable CVEs instead of only the first.
• Fixed missing findings in advisory filters. Advisory filters now correctly show all existing findings.
• Fixed project selection in Supply Chain filters, allowing you to select multiple projects as expected when filtering results.

🤖 Semgrep Assistant​

Added​

• Added support for Cursor post-generation hooks, enabling Semgrep to integrate with Cursor workflows after code generation.
• Assistant memories now include links to the pull request or merge request comments where triage decisions were made, improving traceability back to the original source.

Changed​

• Pull request comments for findings generated using Semgrep-authored rules now include Assistant-generated explanations to help developers understand the findings. The summary message can be expanded to show additional details.
• Findings in Semgrep AppSec Platform now include Assistant-generated explanations to clarify why a rule matched your code and a concise summary, if available.
• Assistant notifications now show more specific error messages, helping you understand why an analysis could not run.
• When multiple rules share the same name, the full rule path is now shown in Semgrep AppSec Platform to help distinguish them.

Fixed​

🔐 Semgrep Secrets​

Changed​

• Semgrep Secrets findings are now assigned a severity of Critical. This applies to Secrets findings from scans performed after November 2025. Any existing findings from those rules will be updated to Critical after the project's next full scan.

Fixed​

• Fixed an issue with configuring Slack notifications for Secrets policies. Selecting a Slack channel no longer causes the page to crash, and configurations now save successfully.

📝 Documentation and knowledge base​

Added​

• Improved API documentation for Ruleboards and Policies. The API docs have been updated to correctly display request parameters in the request body and hide path parameters, making it easier to understand and use these endpoints.

🔧 OSS Engine​

Changed​

• Semgrep’s Docker image now uses Alpine Linux 3.23

• The following versions of the OSS Engine were released in December 2025:
  • 1.145.0
  • 1.146.0

🌐 Semgrep AppSec Platform​

Added​

• Cortex and Sysdig integrations are now generally available. Semgrep now uses deployment status and, for Cortex, internet-exposure data from these CNAPP providers to better prioritize findings.
• The Settings > General tab now displays all Semgrep product settings on a single page.
• Added the ability for non-admin users to complete the Semgrep GitHub App installation process using an install-request link. This ensures that private GitHub App installations can proceed, even when the initiating user lacks org admin permissions.
• Added a new Validate button and improved connection status visibility for CNAPP integrations. You can now see the validation state, last successful sync time, and clearer error conditions directly in Semgrep AppSec Platform.
• You can now update and delete customizable and saved views using the API. The endpoint returns a 404 if the view does not exist.
• Added support for filtering projects by status, including setup, uninitialized, and archived, in the Projects API endpoints, enabling more precise control when retrieving project lists.
• Added support for filtering projects by status, including setup, uninitialized, and archived, in the Projects API endpoints, enabling more precise control when retrieving project lists.
• Added missing fields commit and enabled_products to the GetScan v2 API response to achieve parity with v1 and ensure you receive complete scan metadata.
• Added support for updating a project's primary branch through the Public API v2, enabling parity with the v1 Projects API endpoint.
• Added support to the Public API for mutating project tags, enabling automated workflows to add, remove, or update tags on projects.

Changed​

• The API tokens and CLI tokens tabs under Settings → Tokens are now paginated, significantly improving page load speed for teams with many tokens.

Fixed​

• Fixed several issues with RBAC team-based filtering that caused you to see incorrect repository or findings access in certain deployments. You should now see correct repository and findings access based on their team permissions.
• Fixed an issue where the self-service checkout flow failed with an "Unrecognized enum value" error when starting a billing upgrade. You can now successfully initiate checkout sessions again.
• Fixed an issue where Jira automations persisted after deleting the Jira integration. Automations are now deleted when the integration is removed.
• Fixed an issue with the Settings pages where some searches resulted in no results on later pages.
• Fixed an issue where organization admins could not see projects without team assignments when RBAC was enabled. All projects now correctly appear in the Projects page for admins.
• Fixed an authorization issue in Network Broker key management.
• Fixed an issue where GitLab merge-base requests were serialized incorrectly, causing errors or inconsistent diff detection for GitLab users.
• Fixed an issue where rule descriptions on the Findings page used a fixed width. Descriptions now scale responsively again.
• Fixed an issue where GitHub SSO orgs using personal GitHub accounts made unnecessary calls to GitHub during user sync.
• Fixed an issue where new CNAPP integrations displayed an incorrect error state in Semgrep AppSec Platform.
• Fixed an issue where opening the scan's Details reset existing URL filters. Semgrep now preserves all active filters when you navigate to the Details page.
• Removed the ability for users to remove their own access in Access Control.
• You can no longer click the Run a new scan buttons on the Projects list and Project Details pages if you disable Managed Scans for the project.

💻 Semgrep Code​

Added​

• MCP: added the -k / --hook flag to enable Semgrep scans from Claude Code Agent post-tool hooks.
• Go: enabled taint tracking across goroutines, improving detection accuracy in Go projects.

Changed​

• Semgrep now uses your source code manager to determine changes between branches during a scan. If you're using Network Broker, you must upgrade to benefit from this improvement if you are on GitLab self-managed v0.36.0 or earlier or GitHub Enterprise v0.31.0 or earlier.

Fixed​

• The progress bar for semgrep scan and semgrep ci now consistently reaches 100%.
• Rust: Fixed missing type alias translations so that Semgrep can correctly match the () type in type declarations.
• Scala: Fixed several issues with Scala match-expression handling in dataflow analysis, improving accuracy.

⛓️ Semgrep Supply Chain​

Added​

• Malicious dependency detection is now generally available. Semgrep detects malicious packages, including malware, typosquatting, and credential-stealing dependencies, using over 80,000 rules.
• Added a toggle in Supply Chain settings that allows you to disable malicious dependency rules. This provides an opt-out for teams who prefer not to run these rules or who encounter performance issues.
• Added a new checkbox in the Jira Customize ticket creation dialog that allows teams to automatically create tickets for malicious dependency findings on any branch.

Fixed​

• Semgrep AppSec Platform now displays the correct severity for Supply Chain findings, resolving a mismatch with automations and the CLI. Some existing findings may show updated severities, but policies and Jira workflows are unaffected.
• Fixed an issue that caused Supply Chain scans to fail when encountering newer manifest types.
• Fixed an issue where searches for dependencies only filtered the first page of results. Dependency filters now correctly return complete, accurate results.
• Fixed inaccurate dependency and lockfile counts in Supply Chain pages.

🤖 Semgrep Assistant​

Added​

• You can now see rule and analysis explanations on the finding’s Details page. When a finding is classified as a true or false positive, an alert appears, and a detailed explanation is available in the Finding description tab. For true positives, it includes code context and threat-model rationale; for false positives, it includes reasoning only.

Changed​

• Assistant now automatically analyzes all new Critical and High severity findings with Medium or High confidence in full scans, removing the previous 10-issue limit.

Fixed​

• Removed outdated warning text from the Assistant autofix.
• Fixed an issue where agreeing with an auto-triage verdict incorrectly marked findings as ignored. Findings are now only auto-ignored when user assigns it as a False Positive.

📝 Documentation and knowledge base​

Added​

• Added the following knowledge base articles:
  • Semgrep Managed Scans doesn't run for pull requests in GitHub merge queues
  • Why does the Projects page display a different dependency count from the Dependencies page?

🔧 OSS Engine​

Added​

• The following versions of the OSS Engine were released in November 2025:
  • 1.143.0
  • 1.144.0

🌐 Semgrep AppSec Platform​

Added​

• Semgrep Managed Scanning is now generally available. With Managed Scans, you can add repositories to your Semgrep organization in bulk without changing your existing CI workflows, and integrate Semgrep into developer workflows through PR or MR comments.
• Added a Remember my email checkbox to the SSO login page.
• Added the ability to change the name of Teams.
• The Semgrep CLI is now compatible with machines running Python 3.14.

Changed​

• The Scan details page now updates the URL with a permalink for easier sharing when viewed.
• Semgrep's Docker image base has been upgraded from Alpine Linux 3.21 to 3.22.
• semgrep/semgrep images now ship with Go 1.24.
• Improved performance by preventing unnecessary data fetches when scan details aren’t needed.

Fixed​

• Fixed an issue where filtering findings using project tags doesn't return results.
• Invalid CLI tokens now produce a clear error instead of a malformed success message.

💻 Semgrep Code​

Added​

• Semgrep Code findings now show Assistant's true or false positive analyses more prominently, along with which memories Assisted used during analysis. The findings also present the threat model for specific security issues in the context of the code, along with a summary of each issue.
• The /setup_semgrep_mcp command now supports Claude Code.

Changed​

• Temporary files created for rule checks are cleaned up after scans.
• The rule validation check now includes a language check to ensure that only valid languages are used, preventing invalid rules from being added to policies.

Fixed​

• Fixed an issue where some scans terminated with exit code 7.
• MCP:
  • Fixed tool calls failing for some models, such as GPT-5.
  • Fixed a bug where resource closure errors occurred when trying to use the MCP with the streamable-http transport method.

⛓️ Semgrep Supply Chain​

Added​

• Supply Chain's reachability analysis now covers all high-severity CVEs from supported sources starting from 2017 for Go packages.

Fixed​

• Supply Chain subproject resolution table is now shown in the CLI output after a scan, even when no subprojects were successfully resolved.
• UV lockfiles that include editable and local dependencies without versions are now parsed correctly. The unversioned dependencies are ignored.
• Failures to parse UV lockfiles are now correctly reported as Failed rather than Unsupported.

🤖 Semgrep Assistant​

Added​

• Added a new filter for AI component tags with No decision, allowing users to find findings analyzed by the Assistant, but not classified as low or high risk.

Changed​

• Assistant's rule generation functionality in Semgrep AppSec Platform has been deprecated.

🔧 OSS Engine​

• The following versions of the OSS Engine were released in October 2025:
  • v1.142.0
  • v1.141.0
  • v1.140.0

🌐 Semgrep AppSec Platform​

Added​

• Added the ability to filter Secrets findings by branch.
• Added a confirmation pop-up when switching between the Production and Pre-production views.

Changed​

• Jira: the Semgrep Jira integration now automatically creates Jira tickets for Semgrep Code and Semgrep Secrets findings with a critical severity level.

Fixed​

• Jira: Team information now loads when the user attempts to map to the Team custom field.
• Supply Chain's Advisories filter now filters based on the correct field.
• Fixed the handling of invalid GitHub refresh tokens. If a user's GitHub refresh token is invalid, Semgrep prompts the user to log in again.
• Minor UI fixes.

💻 Semgrep Code​

Added​

• Added the semgrep mcp subcommand to the Semgrep CLI tool, which runs the Semgrep MCP server.
• Improved pre-filtering for taint rules, primarily when taint labels are used.
• Scala: Added support for method dispatching through traits.
• TypeScript: improved name resolution for destructuring parameters.

Changed​

• The Semgrep MCP server repository has been moved from semgrep/mcp to semgrep/semgrep.
• Updated semgrep-interfaces to accept only valid language keys for rules in Semgrep Editor.
• Semgrep now filters SEMGREP_APP_TOKEN from any request made to non-Semgrep URLs passed to -f/-c/--config when fetching configurations and rules.
• Python: Fixed an issue involving the resolution of implicit namespace modules.
• TypeScript:
  • Fixed an issue where the pattern var $X = $FUNC($REQ, $RES, ...) {...} didn't parse correctly.
  • Improved the performance of tsconfig.json matching for TypeScript projects that contain multiple tsconfig.json files.

Fixed​

• Glob patterns containing \# or \ in .semgrepignore and included .gitignore files are now interpreted correctly.
• Updated opentelemetry-* packages to remove pkg_resources is deprecated warnings.
• Dart: Fixed an issue in language processing to return better results.

⛓️ Semgrep Supply Chain​

Added​

• Supply Chain's reachability analysis now covers all high severity CVEs from supported sources starting from 2017 for JavaScript packages.

🔐 Semgrep Secrets​

Added​

• Slack notifications for Semgrep Secrets is now publicly available.

📝 Documentation and knowledge base​

Added​

• Added instructions for connecting Semgrep to GitHub Enterprise Cloud with data residency.
• Added the following knowledge base articles:
  • Why can't I access my Semgrep organization after logging in with GitHub?
  • Why are my projects showing a status of "Not yet started" after I enable Managed Scans?
  • Remove users from your Semgrep AppSec Platform organization

🔧 OSS Engine​

• The following versions of the OSS Engine were released in September 2025:
  • 1.135.0
  • 1.136.0
  • 1.137.0
  • 1.138.0

🌐 Semgrep AppSec Platform​

Changed​

• Jira:
  • The labels Malicious Dependency and Non-malicious Vulnerability have been changed to Malicious Dependency and Not Malicious, respectively.
  • Jira tickets created for malicious dependency findings now include more prominent visuals, such as bolded rule messages, to help them stand out from other reachable findings.
  • The maximum number of findings associated with a specific Jira ticket has increased from 50 to 75.
• You can now connect to your GitHub repositories without needing to contact Semgrep Support, even if you don't use GitHub as your SSO provider with Semgrep.
• You can now view a project's details page while the scan is still in progress.

Fixed​

• Semgrep now maintains connectivity to repositories that you move from one GitHub organization to another.
• Bitbucket pull request comments from Semgrep now display with correct formatting.

💻 Semgrep Code​

Added​

• Added support for interfile analysis for Scala projects.
• Added a timeout to Semgrep's internal HTTP requests to prevent remote endpoints from indefinitely hanging the Semgrep engine.
• Improved pre-filtering for interfile rules enables the Semgrep engine to detect and skip unnecessary interfile rules earlier in the scan process.
• When a segmentation fault is encountered, Semgrep now displays backtraces with function names, filenames, and line numbers when available.
• PHP:
  • When enabling the option taint_assume_safe_booleans, the return values of boolval, is_bool, and || are considered safe.
  • When enabling taint_assume_safe_numbers, the return values of intval, floatval, +, -, *, /, and % are considered safe.

Changed​

• Semgrep scans no longer attempt to parse tsconfig files for non-TypeScript scans.
• CLI: the --json output of Semgrep's CLI now includes a time field or time object with profiling data.

Fixed​

• Fixed incorrect YAML parsing of strings like nan, where the strings were interpreted as a float instead of a string.
• Fixed a bug that prevented taint tracking through new in Java projects.
• Semgrep now substitutes metavariables for their values in a deterministic order to ensure keys for match-based IDs are stable.
• Error messages are logged, but not displayed as pop-ups in IDEs.

⛓️ Semgrep Supply Chain​

Added​

• Supply Chain's reachability analysis now covers all high and critical severity CVEs in Python packages from supported sources starting 2017 and onward.
• Supply Chain policies now support the exclusion of conditions. For example, you can define a condition such as When Reachability is not Always reachable.

🤖 Semgrep Assistant​

Added​

• Added support for the use of custom AWS Bedrock keys.

🔐 Semgrep Secrets​

Added​

• Semgrep now logs the amount of time required for the HTTP request to complete when validating Secrets in the debug logs.

Changed​

• Semgrep Secrets no longer allows more than 256 outstanding validations at any given time.

🔧 OSS Engine​

• The following versions of the OSS Engine were released in August 2025:
  • v1.134.0
  • v1.133.0
  • v1.132.0

🌐 Semgrep AppSec Platform​

Added​

• Support for running Semgrep natively on Windows is now in public beta. This applies to running Semgrep through the CLI and an IDE such as Cursor, VS Code, and IntelliJ.
• Semgrep now includes a link to the GitHub pull request (PR) on the finding details page if you link a Semgrep finding in the PR you create.
• By default, diff-aware managed scans now have fail open enabled in the event a scan errors out or takes too long. This means that diff-aware scans are marked as successful on the pull request (PR) or merge request (MR), even if they haven't completed after the specified timeout, allowing you to make the Semgrep status check required in your source code manager (SCM) while not blocking someone from merging a PR or MR if the check encounters an unexpected issue or takes too long.

Changed​

• General UI improvements, including style fixes.

Fixed​

• Fixed an issue where you couldn't add a connection to GitHub Enterprise without an access token.

💻 Semgrep Code​

Added​

• Semgrep now prints warnings for each paths.include and paths.exclude pattern found in rules that Semgrep considers ambiguous.
  • Example: a pattern containing a middle slash, such as src/*.c, is considered floating, or unanchored. To comply with gitignore and semgrepignore specifications, src/*.c must be treated as anchored. Semgrep prints a warning asking the user to resolve any ambiguity if it exists. The user is asked to change the src/*.c pattern to either /src/*.c, anchored, or **/src/*.c, floating. HTTP{,S}_PROXY=... now accepts URIs without a scheme, such as HTTP_PROXY=domain.com:port.

Fixed​

• Fixed an issue where some diff-aware scans on shallow clones would use the incorrect merge base, resulting in a scan on commits not a part of the pull request. This is because Semgrep now considers the specific merge base to use when performing diff-aware scans.
• Fixed an issue where an empty file would sometimes be created in place of a missing input file.
• Fixed an issue where log files weren't succinct and introduced mid-entry newlines that broke log-parsing tools.
• Fixed an issue where the sign in command didn't work.
• Fixed an issue where CiScanComplete.dependencies were populated with unparsed dependencies.
• Fixed an issue where error details weren't printed when an SemgrepError exception caused semgrep to fail.
• Semgrep now prints an error message and exits instead of silently exiting with code 2 when you run semgrep scan in a Docker container without an argument, and there's no target project mounted under /src.
• Fixed an issue where a Unix.Unix_error would occasionally crash the experimental language server on startup.
• Fixed an issue where scans of large repositories in debug mode resulted in overly large logs.
• Path filters, such as paths.exclude and paths.include in rules, now apply to normalized file paths relative to the project rule. This makes rule selection independent of the current work folder.
• Patterns with a leading slash, such as /src, are now anchored instead of floating. For example, exclude: [ "/src" ] excludes the target file src/main.c, but not misc/src/main.c
• Java: deprecated the class $A partial class pattern in favor of class $A { ... }.
• Python: Fixed an issue where the Python parser didn't correctly parse and handle valid structural dictionary patterns.

⛓️ Semgrep Supply Chain​

Added​

• Supply Chain support for PHP reachability analysis is now generally available (GA).
• You can now use the Upgrade guidance filter to look for findings based on whether upgrading to the dependency that remediates the vulnerability introduces breaking changes or not.
• Beginning with Semgrep v1.127.0, uv is a supported package manager for Dependency Paths. This means that uv is a supported package manager across all Supply Chain features.

🤖 Semgrep Assistant​

Added​

• You can now see which memories were used by Assistant when it generated remediation guidance for a specific finding. Semgrep displays this information on the finding details page.

🔐 Semgrep Secrets​

Added​

• Added the ability to send Slack notifications for Secrets findings.
• Semgrep now makes up to three attempts when validating Amazon Web Services (AWS) credentials that failed due to possibly transient reasons.

📝 Documentation and knowledge base​

Added​

• Added the following knowledge base articles:
  • Learn how to search for, filter for, and sort findings in Semgrep AppSec Platform
  • Learn how to automate private rules deployment using the Semgrep API
  • Learn why the count of findings differs across various pages in Semgrep AppSec Platform

Fixed​

• Minor fixes, including fixes to broken link anchors.

🔧 OSS Engine​

• The following versions of the OSS Engine were released in July 2025:
  • 1.131.0
  • 1.130.0
  • 1.128.0

🌐 Semgrep AppSec Platform​

Added​

• You can now customize PR and MR comments to provide additional context to the comments generated by Semgrep.
• Rules validation is now parallelized to improve performance when Semgrep scans use many rule files.
• Semgrep now respects ALL_PROXY, HTTP_PROXY, HTTPS_PROXY, NO_PROXY, PROXY_USERNAME, and PROXY_PASSWORD for all networking, including networking done through the OCaml components. Additionally, the environment variable OCAML_EXTRA_CA_CERTS now allows additional CA certificates to be used for network operations done by OCaml components.

Changed​

• The Sign up and Log in page has been redesigned.
• The Finding details page has been redesigned and unified across all Semgrep products.
• The Settings > Deployment page in Semgrep AppSec Platform has been removed and reorganized into a General page that features sub-tabs for individual uses and Semgrep products.
• Search and pagination on the Settings > Source code managers page have been improved, resulting in better load times and smoother navigation.
• Restored links to the same finding on other branches on the finding's details pages.
• Jira:
  • Semgrep AppSec Platform now displays information about Jira ticket creation in the Activity section of the Finding details page. You can check if a ticket was successfully created or if an error occurred during ticket creation.
  • Semgrep organization members can now create Jira tickets for findings.

Fixed​

• Fixed an issue where semgrep ci logs in GitLab return incorrect URLs with the wrong &ref=... argument.
• Fixed an issue where Semgrep Managed Scan was enabled on projects tagged as local_scan.
• Fixed an issue where scan logs show that pull request or merge request comments were successfully posted when the comments were not posted.
• Fixed an issue where Semgrep AppSec Platform did not account for community seats when calculating license usage.
• nosemgrep ignore comments no longer require exactly one leading space, allowing for more commenting styles.
• The Semgrep findings returned by the Semgrep Language Server (LSP) are now sorted correctly based on their location within files. This benefits the Semgrep IDE extensions, including VSCode and IntelliJ.
• Various UI fixes.

💻 Semgrep Code​

Added​

• Added type inference for mod, floor division, and pow.

Changed​

• JSON output now includes basic profiling data.

Fixed​

• Fixed an issue where taint rules that use the experimental feature labels and specify sinks with a requires: of the form not A could produce findings with an empty list of traces, potentially causing Semgrep to crash.
• Fixed an issue where the empty Python fstring f"" wasn't matched by the pattern ....
• Fixed an issue where a multiplication expression of int isn't considered an int.
• Fixed an issue where 2 * groups isn't considered an int when groups is an int.
• Go: fixed an issue where case statements with ellipses didn't match patterns correctly.
• JavaScript: fixed an issue where JavaScript autofix code suggestions break syntax for if statements by consuming parentheses.
• Python: fixed a regression that could cause naming to take a disproportionate amount of time, significantly slowing down scans.
• TypeScript: fixed an issue with stack overflow and out-of-memory issues when parsing TypeScript configurations.

⛓️ Semgrep Supply Chain​

Added​

• Support for PHP reachability is now in public beta, which means that Semgrep offers 98% coverage for Critical severity issues, plus some coverage for High severity issues.
• You can now customize Supply Chain policies using CVEs as a filtering condition.
• Policies now accept custom CVE options to allow the selection of CVEs for which there are no current findings associated.
• Scan logs now report dependency resolution errors that result from local builds by default.
• Added the reporting of subproject dependency resolution to JSON output.
• C#:
  • Dependency Paths for C# projects using NuGet are now in public beta.
  • Dependency parsing now handles dependencies with Project transitivities.
  • Semgrep can scan NuGet codebases without the need for a lockfile. This feature is in public beta.

Changed​

• The filter for malicious dependency findings are now included in the existing Reachability filter.

Fixed​

• Fixed an issue where missing version constraints in yarn.lock descriptors caused parsing errors.
• Fixed an issue where packages were misidentified by adding support for npm aliasing in package-lock.json.
• Fixed an issue where Jira tickets weren't created for some Supply Chain findings.
• Fixed an issue where archived repositories were accidentally scanned by Semgrep Managed Scans for Supply Chain findings.
• Semgrep no longer parses build.gradle.kts files as build.gradle.

🤖 Semgrep Assistant​

Added​

• Memories can now be scoped to a rule's vulnerability class, which are the same groupings that exist on the policies page.
• Organization members can suggest memories for approval by admins.
• Semgrep now sends out emails with information about suggested memories, how many findings each memory affects, and the links to review the memories in Semgrep AppSec Platform.

Changed​

• Organization members can now see memories in addition to admins.
• Active memories now display the name of the person who authored the triage note that Assistant used to create the memory.
• Memories created by Semgrep are now labeled as created by Assistant.

Fixed​

• Fixed an issue where changes made to the Allowed AI providers dialog weren't saved.

🔐 Semgrep Secrets​

Added​

• You can now create memories for generic secrets, allowing you to create and apply custom rules for secret detection through Assistant.

Fixed​

• Fixed an issue where files excluded in .semgrepignore were also applied to Secrets scans. Semgrep now scans files that have been excluded from Code and Supply Chain scans for leaked secrets.

📝 Documentation and knowledge base​

Added​

• Enable source code manager code access
• Run a successful proof-of-value (POV) trial with Semgrep
• Knowledge base: Search, filter, and sort findings in Semgrep AppSec Platform

Fixed​

Minor corrections and typo fixes.

🔧 OSS Engine​

• The following versions of the OSS Engine were released in June 2025:
  • v1.124.0
  • v1.125.0
  • v1.126.0
  • v1.127.0

🌐 Semgrep AppSec Platform​

Added​

• Semgrep AppSec Platform now displays OWNERS information in addition to CODEOWNERS information on the Finding Details pages. This information is also available through the Semgrep API.
• Added the ability to triage a finding directly from Open to Reviewing on the Finding Details page.
• Jira: added the ability to map to EPSS categories when creating Jira tickets.

Changed​

• Semgrep AppSec Platform now displays distinct login and signup pages.
• SSO email logins are now case insensitive.
• Semgrep in CI output now shows per-product links depending on what Semgrep products are enabled for a scan.

Fixed​

• Fixed an issue where Analyze, Ignore, and Fix options were available when the finding had previously been marked as Fixed or Removed.
• Fixed an issue where GitHub Enterprise users were incorrectly redirected to GitHub.com repository URLs.
• Jira:
  • Fixed an issue where Semgrep didn't handle default Jira values correctly, leading to tickets not being created.
  • Fixed an issue where Jira tickets weren't being created due to a Semgrep Assistant auto-triage lookup error.
• CLI:
  • Fixed --help documentation to reflect that, for --metrics="auto", pseudoanonymous metrics are sent when the user is logged in.
• Assorted UI fixes, including fixes to incorrect line breaks and typo corrections.

💻 Semgrep Code​

Fixed​

• Fixed a bug introduced in Semgrep 1.120.0 causing cross-file analyses to run out of memory due to too many parallel jobs. The default setting had been accidentally set to the number of available CPUs which is often too much in cross-file mode. It's now back to -j1, which you can override.
• CLI: Fixed a bug where --disable-nosem was not sending findings from nosem-annotated lines of code to Semgrep AppSec Platform. --disable-nosem now correctly sends findings, if any, from nosem-annotated lines, to the Platform.

⛓️ Semgrep Supply Chain​

Added​

• Java and Kotlin: Projects can now be scanned without lockfiles through Semgrep Managed Scans.
• Semgrep can now scan composer.lock files for the licenses of PHP dependencies. Through this feature, you can configure Semgrep to block or leave a comment on pull requests or merge requests, depending on the license of the dependency that the PR or MR is adding. This feature is enabled by default and runs on full and diff-aware Supply Chain scans.
• Policies: Added No reachability analysis as a policy condition.
• Improved handling of tsconfig.json in instances where multiple, separately rooted source directories with their own tsconfig.json configurations were previously treated as a single project. These directories are now treated as their own TypeScript project, which should result in better name/module resolution.
• Improved handling of include,exclude and files properties in tsconfig.json. Projects that use more than one tsconfig file in a given directory, which apply to different sets of files under that directory, should see improvements in name/module resolution.
• Python: Added support for uv package manager.

Changed​

• Scanning without the need for lockfiles is now in private beta for select programming languages.
• Improved the Supply Chain UX in various pages:
  • If the finding has a function call that proves the finding is reachable, this function call is highlighted in the code in the finding's Details page.
  • Added context in PR comments as to why a finding is reachable, under the section Why this is reachable. This alerts developers to the impact of a reachable finding.
  • Improved how filters are presented in the Supply Chain > Vulnerabilities page.
  • Unreachable findings are hidden by default from the findings list.
• Improved Supply Chain scan output and logging.

Fixed​

• Semgrep now scans large manifests and lockfiles, which were previously ignored due to Semgrep's default file size filtering. This ensures that your lockfiles can be scanned for dependencies and their relationships. This fixes a regression introduced in 1.117.0.
• Fixed a bug where Supply Chain reachability rules which match multiple dependencies could produce reachable findings on transitive dependencies even when the actually used direct dependency was not vulnerable.
• Various minor fixes to the Supply Chain UI.

🤖 Semgrep Assistant​

Added​

• The Assistant Memories feature is now in public beta:
  • Managing memories in Semgrep AppSec Platform now occurs under Rules & Policies, not Settings.
  • Semgrep AppSec Platform displays data on the scope and impact of memories, including the number of findings affected and which findings affected
  • Assistant now provides suggested memories, which are those that Assistant has generated based on your past triage actions. You can view these memories at any time in Semgrep AppSec Platform by navigating to Rules & Policies > Assistant Memories > Suggested. For each suggestion, you can choose one of the following actions:
    • Activate the suggested memory to inform Assistant's future advice.
    • Edit the memory, then activate it.
    • Delete the memory.
• Users now see error messages providing specific reasons why a finding can't be analyzed. For example, local scans and scans from projects without code access can't be analyzed.

Fixed​

• Fixed an issue where Assistant's suggested fixes weren't displaying in Semgrep AppSec Platform.
• Fixed an issue where findings displayed the Agree and ignore option for Assistant auto-triage feedback, even when Agree and ignore wasn't a valid option, resulting in errors.

🔐 Semgrep Secrets​

Changed​

• Improved performance of Semgrep Secret scans due to back-end updates.

📝 Documentation and knowledge base​

Added​

• Added the following new documents, articles and sections:
  • Glossary for Semgrep Secrets
  • Scan for generic secrets
  • Supported source code managers
• Added the following knowledge base articles:
  • Why do the findings count differ in the API and the Semgrep AppSec Platform UI?
• Created dedicated pages for popular programming languages. These pages detail features that Semgrep supports for that language.
• Minor additions to various documentation.

Changed​

• Updated the header and footer to provide more Semgrep learning materials.
• Updated instructions on how to add support for a language to Semgrep.
• Minor updates to various documentation.

Fixed​

• Corrected errors in Semgrep CE CI/CD snippets, thank you to @Nirusu for the contribution.
• Corrected wording issues in Semgrep for developers > How Semgrep works, thank you to @timmeinerzhagen for the contribution.

🔧 Semgrep Community Edition (CE)​

The following versions of Semgrep CE were released in May 2025:

• 1.121.0
• 1.122.0
• 1.123.0