July 2025
 ยท 5 min read
The following updates were made to Semgrep in July 2025.
๐ Semgrep AppSec Platformโ
Addedโ
- Support for running Semgrep natively on Windows is now in public beta. This applies to running Semgrep through the CLI and an IDE such as Cursor, VS Code, and IntelliJ.
- Semgrep now includes a link to the GitHub pull request (PR) on the finding details page if you link a Semgrep finding in the PR you create.
- By default, diff-aware managed scans now have fail open enabled in the event a scan errors out or takes too long. This means that diff-aware scans are marked as successful on the pull request (PR) or merge request (MR), even if they haven't completed after the specified timeout, allowing you to make the Semgrep status check required in your source code manager (SCM) while not blocking someone from merging a PR or MR if the check encounters an unexpected issue or takes too long.
Changedโ
- General UI improvements, including style fixes.
Fixedโ
- Fixed an issue where you couldn't add a connection to GitHub Enterprise without an access token.
๐ป Semgrep Codeโ
Addedโ
- Semgrep now prints warnings for each paths.includeandpaths.excludepattern found in rules that Semgrep considers ambiguous.- Example: a pattern containing a middle slash, such as src/*.c, is considered floating, or unanchored. To comply withgitignoreandsemgrepignorespecifications,src/*.cmust be treated as anchored. Semgrep prints a warning asking the user to resolve any ambiguity if it exists. The user is asked to change thesrc/*.cpattern to either/src/*.c, anchored, or**/src/*.c, floating.HTTP{,S}_PROXY=...now accepts URIs without a scheme, such asHTTP_PROXY=domain.com:port.
 
- Example: a pattern containing a middle slash, such as 
Fixedโ
- Fixed an issue where some diff-aware scans on shallow clones would use the incorrect merge base, resulting in a scan on commits not a part of the pull request. This is because Semgrep now considers the specific merge base to use when performing diff-aware scans.
- Fixed an issue where an empty file would sometimes be created in place of a missing input file.
- Fixed an issue where log files weren't succinct and introduced mid-entry newlines that broke log-parsing tools.
- Fixed an issue where the sign incommand didn't work.
- Fixed an issue where CiScanComplete.dependencieswere populated with unparsed dependencies.
- Fixed an issue where error details weren't printed when an SemgrepErrorexception causedsemgrepto fail.
- Semgrep now prints an error message and exits instead of silently exiting with code 2when you runsemgrep scanin a Docker container without an argument, and there's no target project mounted under/src.
- Fixed an issue where a Unix.Unix_errorwould occasionally crash the experimental language server on startup.
- Fixed an issue where scans of large repositories in debug mode resulted in overly large logs.
- Path filters, such as paths.excludeandpaths.includein rules, now apply to normalized file paths relative to the project rule. This makes rule selection independent of the current work folder.
- Patterns with a leading slash, such as /src, are now anchored instead of floating. For example,exclude: [ "/src" ]excludes the target filesrc/main.c, but notmisc/src/main.c
- Java: deprecated the class $Apartial class pattern in favor ofclass $A { ... }.
- Python: Fixed an issue where the Python parser didn't correctly parse and handle valid structural dictionary patterns.
โ๏ธ Semgrep Supply Chainโ
Addedโ
- Supply Chain support for PHP reachability analysis is now generally available (GA).
- You can now use the Upgrade guidance filter to look for findings based on whether upgrading to the dependency that remediates the vulnerability introduces breaking changes or not.
- Beginning with Semgrep v1.127.0, uvis a supported package manager for Dependency Paths. This means thatuvis a supported package manager across all Supply Chain features.
๐ค Semgrep Assistantโ
Addedโ
- You can now see which memories were used by Assistant when it generated remediation guidance for a specific finding. Semgrep displays this information on the finding details page.
๐ Semgrep Secretsโ
Addedโ
- Added the ability to send Slack notifications for Secrets findings.
- Semgrep now makes up to three attempts when validating Amazon Web Services (AWS) credentials that failed due to possibly transient reasons.
๐ Documentation and knowledge baseโ
Addedโ
- Added the following knowledge base articles:
Fixedโ
- Minor fixes, including fixes to broken link anchors.