Skip to main content

May 2025

ยท 6 min read

The following updates were made to Semgrep in May 2025.

๐ŸŒ Semgrep AppSec Platformโ€‹

Addedโ€‹

  • Semgrep AppSec Platform now displays OWNERS information in addition to CODEOWNERS information on the Finding Details pages. This information is also available through the Semgrep API.
  • Added the ability to triage a finding directly from Open to Reviewing on the Finding Details page.
  • Jira: added the ability to map to EPSS categories when creating Jira tickets.

Changedโ€‹

  • Semgrep AppSec Platform now displays distinct login and signup pages.
  • SSO email logins are now case insensitive.
  • Semgrep in CI output now shows per-product links depending on what Semgrep products are enabled for a scan.

Fixedโ€‹

  • Fixed an issue where Analyze, Ignore, and Fix options were available when the finding had previously been marked as Fixed or Removed.
  • Fixed an issue where GitHub Enterprise users were incorrectly redirected to GitHub.com repository URLs.
  • Jira:
    • Fixed an issue where Semgrep didn't handle default Jira values correctly, leading to tickets not being created.
    • Fixed an issue where Jira tickets weren't being created due to a Semgrep Assistant auto-triage lookup error.
  • CLI:
    • Fixed --help documentation to reflect that, for --metrics="auto", pseudoanonymous metrics are sent when the user is logged in.
  • Assorted UI fixes, including fixes to incorrect line breaks and typo corrections.

๐Ÿ’ป Semgrep Codeโ€‹

Fixedโ€‹

  • Fixed a bug introduced in Semgrep 1.120.0 causing cross-file analyses to run out of memory due to too many parallel jobs. The default setting had been accidentally set to the number of available CPUs which is often too much in cross-file mode. It's now back to -j1, which you can override.
  • CLI: Fixed a bug where --disable-nosem was not sending findings from nosem-annotated lines of code to Semgrep AppSec Platform. --disable-nosem now correctly sends findings, if any, from nosem-annotated lines, to the Platform.

โ›“๏ธ Semgrep Supply Chainโ€‹

Addedโ€‹

  • Java and Kotlin: Projects can now be scanned without lockfiles through Semgrep Managed Scans.
  • Semgrep can now scan composer.lock files for the licenses of PHP dependencies. Through this feature, you can configure Semgrep to block or leave a comment on pull requests or merge requests, depending on the license of the dependency that the PR or MR is adding. This feature is enabled by default and runs on full and diff-aware Supply Chain scans.
  • Policies: Added No reachability analysis as a policy condition.
  • Improved handling of tsconfig.json in instances where multiple, separately rooted source directories with their own tsconfig.json configurations were previously treated as a single project. These directories are now treated as their own TypeScript project, which should result in better name/module resolution.
  • Improved handling of include,exclude and files properties in tsconfig.json. Projects that use more than one tsconfig file in a given directory, which apply to different sets of files under that directory, should see improvements in name/module resolution.
  • Python: Added support for uv package manager.

Changedโ€‹

  • Scanning without the need for lockfiles is now in private beta for select programming languages.
  • Improved the Supply Chain UX in various pages:
    • If the finding has a function call that proves the finding is reachable, this function call is highlighted in the code in the finding's Details page.
    • Added context in PR comments as to why a finding is reachable, under the section Why this is reachable. This alerts developers to the impact of a reachable finding.
    • Improved how filters are presented in the Supply Chain > Vulnerabilities page.
    • Unreachable findings are hidden by default from the findings list.
  • Improved Supply Chain scan output and logging.

Fixedโ€‹

  • Semgrep now scans large manifests and lockfiles, which were previously ignored due to Semgrep's default file size filtering. This ensures that your lockfiles can be scanned for dependencies and their relationships. This fixes a regression introduced in 1.117.0.
  • Fixed a bug where Supply Chain reachability rules which match multiple dependencies could produce reachable findings on transitive dependencies even when the actually used direct dependency was not vulnerable.
  • Various minor fixes to the Supply Chain UI.

๐Ÿค– Semgrep Assistantโ€‹

Addedโ€‹

  • The Assistant Memories feature is now in public beta:
    • Managing memories in Semgrep AppSec Platform now occurs under Rules & Policies, not Settings.
    • Semgrep AppSec Platform displays data on the scope and impact of memories, including the number of findings affected and which findings affected
    • Assistant now provides suggested memories, which are those that Assistant has generated based on your past triage actions. You can view these memories at any time in Semgrep AppSec Platform by navigating to Rules & Policies > Assistant Memories > Suggested. For each suggestion, you can choose one of the following actions:
      • Activate the suggested memory to inform Assistant's future advice.
      • Edit the memory, then activate it.
      • Delete the memory.
  • Users now see error messages providing specific reasons why a finding can't be analyzed. For example, local scans and scans from projects without code access can't be analyzed.

Fixedโ€‹

  • Fixed an issue where Assistant's suggested fixes weren't displaying in Semgrep AppSec Platform.
  • Fixed an issue where findings displayed the Agree and ignore option for Assistant auto-triage feedback, even when Agree and ignore wasn't a valid option, resulting in errors.

๐Ÿ” Semgrep Secretsโ€‹

Changedโ€‹

  • Improved performance of Semgrep Secret scans due to back-end updates.

๐Ÿ“ Documentation and knowledge baseโ€‹

Addedโ€‹

Changedโ€‹

  • Updated the header and footer to provide more Semgrep learning materials.
  • Updated instructions on how to add support for a language to Semgrep.
  • Minor updates to various documentation.

Fixedโ€‹

๐Ÿ”ง Semgrep Community Edition (CE)โ€‹

The following versions of Semgrep CE were released in May 2025: