Semgrep Product Updates

Semgrep Autofix, now in public beta, provides contextual remediation guidance, breaking change analysis, and AI-generated fix suggestions directly in pull requests.

For Semgrep Supply Chain findings, Upgrade Guidance identifies which dependency upgrades are safe and flags line-level breaking changes for complex ones. It combines first-party code analysis (how your code uses a package) with third-party code analysis (what changed between versions) via the Semgrep Pro engine, then sends results to an LLM to produce the final breaking change report. Where a safe upgrade exists, developers can generate a PR immediately.

For Semgrep Code findings, Autofix provides tailored fix suggestions using security context from Semgrep and your application's codebase. Fixes can also be triggered via API for fully automated remediation.

Read the announcement blog
Read the docs for Code and for Supply Chain

We're officially in the Cursor Plugin Marketplace. The Semgrep plugin bundles our MCP server, Hooks, and Skills to deliver SAST, supply chain, and secrets scanning on every file an agent touches.

📖 Read the announcement blog
⚡ Install the plugin today: quickstart docs

We’re excited to roll out improved workflows for the Semgrep Dashboard, designed with one specific goal in mind: helping AppSec teams make "Big Number Go Down." We know that efficient triage is the bottleneck that stands between a crowded backlog and a secure codebase, so we’ve optimized the interface to help you cut through the noise and fix what matters faster.

To walk you through these changes, Staff Product Manager Jack Moxon has recorded a deep dive into the new triage workflow. He covers the visual refresh, the new streamlined actions, and how these updates reduce friction between AppSec and Engineering.

Watch the walkthrough below:

Click to watch: Streamlining AppSec Triage with Jack Moxon

In light of the latest supply chain attacks, we're excited to announce that malicious dependency detection is now a generally available feature included in Semgrep Supply Chain.

For the GA version, we made the performance much faster even while adding tens of thousands more advisories for a grand total of 80,000 SCA rules. It’s also now available in the API, easily integrated with Policies to block malicious dependencies from getting introduced, and with Jira.

Read more about how malicious dependency detection helps protect against open source malware attacks

We're excited to announce that Semgrep Managed Scans is officially moving from Open Beta to GA!

SMS delivers comprehensive SAST, SCA, and Secrets scanning without any infrastructure costs or CI/CD complexity. Simply connect your repositories and we handle everything - weekly full scans plus real-time PR checks - all running on our infrastructure. With 1M+ weekly scans already running and proven ROI through reduced DevSecOps lift and faster remediation cycles, SMS is the easiest path to enterprise-grade security.

Read more about how SMS delivers impact without operational overhead on the Semgrep blog.

We’re excited to introduce the industry’s first reachability analysis for PHP, marking the 11th language with this capability. This is now in public beta for all Semgrep Supply Chain customers and includes support for critical severity CVEs published since 2017.

Semgrep Supply Chain now includes malicious dependency detection! This protects you from malware and credential theft, which are spread through attacks like dependency confusion and typosquatting. Over 31,000 new rules in the platform now generate critical findings whenever malicious dependencies are detected in your code. More information is available on the Semgrep blog.

Previously, we would only display code for dataflow traces within a single file. Now, users can view their code, no matter how many files a trace spans! This improvement makes triage faster & easier, providing users the complete code context, all in one place.

Note: This feature only applies to customers that provide us with code access.

Happy scanning!

Example dataflow:

Starting today, Semgrep Code and Semgrep Secrets are adding the Critical severity level to denote the highest level of severity. You will see an additional filter option in both the Code and Secrets pages, as well as on the Policies page, to allow you to drill down on Critical findings and the rules that report them.
Many existing rules have been updated to use this severity level, and your existing findings from those rules will be updated to use the Critical severity level after the next full scan of the project.

Happy scanning!

Semgrep Code’s latest JavaScript and TypeScript analysis is built by scanning real-world code to uncover nuanced, context-specific vulnerabilities. With engine-level support for 50+ popular frameworks and libraries—including Express, NestJS, React, and Angular—our approach ensures your security coverage reflects the complexities of modern, production-grade applications. To learn more about our new analysis, read the announcement blog!