June 2025
 ยท 6 min read
The following updates were made to Semgrep in June 2025.
๐ Semgrep AppSec Platformโ
Addedโ
- You can now customize PR and MR comments to provide additional context to the comments generated by Semgrep.
- Rules validation is now parallelized to improve performance when Semgrep scans use many rule files.
- Semgrep now respects ALL_PROXY,HTTP_PROXY,HTTPS_PROXY,NO_PROXY,PROXY_USERNAME, andPROXY_PASSWORDfor all networking, including networking done through the OCaml components. Additionally, the environment variableOCAML_EXTRA_CA_CERTSnow allows additional CA certificates to be used for network operations done by OCaml components.
Changedโ
- The Sign up and Log in page has been redesigned.
- The Finding details page has been redesigned and unified across all Semgrep products.
- The Settings > Deployment page in Semgrep AppSec Platform has been removed and reorganized into a General page that features sub-tabs for individual uses and Semgrep products.
- Search and pagination on the Settings > Source code managers page have been improved, resulting in better load times and smoother navigation.
- Restored links to the same finding on other branches on the finding's details pages.
- Jira:
- Semgrep AppSec Platform now displays information about Jira ticket creation in the Activity section of the Finding details page. You can check if a ticket was successfully created or if an error occurred during ticket creation.
- Semgrep organization members can now create Jira tickets for findings.
 
Fixedโ
- Fixed an issue where semgrep cilogs in GitLab return incorrect URLs with the wrong&ref=...argument.
- Fixed an issue where Semgrep Managed Scan was enabled on projects tagged as local_scan.
- Fixed an issue where scan logs show that pull request or merge request comments were successfully posted when the comments were not posted.
- Fixed an issue where Semgrep AppSec Platform did not account for community seats when calculating license usage.
- nosemgrepignore comments no longer require exactly one leading space, allowing for more commenting styles.
- The Semgrep findings returned by the Semgrep Language Server (LSP) are now sorted correctly based on their location within files. This benefits the Semgrep IDE extensions, including VSCode and IntelliJ.
- Various UI fixes.
๐ป Semgrep Codeโ
Addedโ
- Added type inference for mod, floor division, andpow.
Changedโ
- JSON output now includes basic profiling data.
Fixedโ
- Fixed an issue where taint rules that use the experimental feature labels and specify sinks with a requires:of the formnot Acould produce findings with an empty list of traces, potentially causing Semgrep to crash.
- Fixed an issue where the empty Python fstring f""wasn't matched by the pattern....
- Fixed an issue where a multiplication expression of intisn't considered anint.
- Fixed an issue where 2 * groupsisn't considered anintwhengroupsis anint.
- Go: fixed an issue where casestatements with ellipses didn't match patterns correctly.
- JavaScript: fixed an issue where JavaScript autofix code suggestions break syntax for ifstatements by consuming parentheses.
- Python: fixed a regression that could cause naming to take a disproportionate amount of time, significantly slowing down scans.
- TypeScript: fixed an issue with stack overflow and out-of-memory issues when parsing TypeScript configurations.
โ๏ธ Semgrep Supply Chainโ
Addedโ
- Support for PHP reachability is now in public beta, which means that Semgrep offers 98% coverage for Critical severity issues, plus some coverage for High severity issues.
- You can now customize Supply Chain policies using CVEs as a filtering condition.
- Policies now accept custom CVE options to allow the selection of CVEs for which there are no current findings associated.
- Scan logs now report dependency resolution errors that result from local builds by default.
- Added the reporting of subproject dependency resolution to JSON output.
- C#:
- Dependency Paths for C# projects using NuGet are now in public beta.
- Dependency parsing now handles dependencies with Projecttransitivities.
- Semgrep can scan NuGet codebases without the need for a lockfile. This feature is in public beta.
 
Changedโ
- The filter for malicious dependency findings are now included in the existing Reachability filter.
Fixedโ
- Fixed an issue where missing version constraints in yarn.lockdescriptors caused parsing errors.
- Fixed an issue where packages were misidentified by adding support for npm aliasing in package-lock.json.
- Fixed an issue where Jira tickets weren't created for some Supply Chain findings.
- Fixed an issue where archived repositories were accidentally scanned by Semgrep Managed Scans for Supply Chain findings.
- Semgrep no longer parses build.gradle.ktsfiles asbuild.gradle.
๐ค Semgrep Assistantโ
Addedโ
- Memories can now be scoped to a rule's vulnerability class, which are the same groupings that exist on the policies page.
- Organization members can suggest memories for approval by admins.
- Semgrep now sends out emails with information about suggested memories, how many findings each memory affects, and the links to review the memories in Semgrep AppSec Platform.
Changedโ
- Organization members can now see memories in addition to admins.
- Active memories now display the name of the person who authored the triage note that Assistant used to create the memory.
- Memories created by Semgrep are now labeled as created by Assistant.
Fixedโ
- Fixed an issue where changes made to the Allowed AI providers dialog weren't saved.
๐ Semgrep Secretsโ
Addedโ
- You can now create memories for generic secrets, allowing you to create and apply custom rules for secret detection through Assistant.
Fixedโ
- Fixed an issue where files excluded in .semgrepignorewere also applied to Secrets scans. Semgrep now scans files that have been excluded from Code and Supply Chain scans for leaked secrets.
๐ Documentation and knowledge baseโ
Addedโ
- Enable source code manager code access
- Run a successful proof-of-value (POV) trial with Semgrep
- Knowledge base: Search, filter, and sort findings in Semgrep AppSec Platform
Fixedโ
Minor corrections and typo fixes.