Semgrep Product Updates

We’re excited to introduce the industry’s first reachability analysis for PHP, marking the 11th language with this capability. This is now in public beta for all Semgrep Supply Chain customers and includes support for critical severity CVEs published since 2017.

Semgrep Supply Chain now includes malicious dependency detection! This protects you from malware and credential theft, which are spread through attacks like dependency confusion and typosquatting. Over 31,000 new rules in the platform now generate critical findings whenever malicious dependencies are detected in your code. More information is available on the Semgrep blog.

Previously, we would only display code for dataflow traces within a single file. Now, users can view their code, no matter how many files a trace spans! This improvement makes triage faster & easier, providing users the complete code context, all in one place.

Note: This feature only applies to customers that provide us with code access.

Happy scanning!

Example dataflow:

Starting today, Semgrep Code and Semgrep Secrets are adding the Critical severity level to denote the highest level of severity. You will see an additional filter option in both the Code and Secrets pages, as well as on the Policies page, to allow you to drill down on Critical findings and the rules that report them.
Many existing rules have been updated to use this severity level, and your existing findings from those rules will be updated to use the Critical severity level after the next full scan of the project.

Happy scanning!

Semgrep Code’s latest JavaScript and TypeScript analysis is built by scanning real-world code to uncover nuanced, context-specific vulnerabilities. With engine-level support for 50+ popular frameworks and libraries—including Express, NestJS, React, and Angular—our approach ensures your security coverage reflects the complexities of modern, production-grade applications. To learn more about our new analysis, read the announcement blog!

Semgrep Supply Chain’s new Dependency Graph empowers AppSec engineers to secure their software with greater efficiency. By combining the new Dependency path visualization and an enhanced lockfile workflow, it eliminates blind spots, reduces manual research, and speeds up prioritization and remediation.

The Dependency path visualization maps all dependencies—direct and transitive—showing exactly where vulnerabilities exist, even across multiple layers and paths. For package managers without standardized lockfiles like Maven and Gradle (what is covered in this product update), Semgrep reconstructs dependency trees to surface vulnerabilities.

These updates make onboarding and scanning repositories faster and more adaptable, regardless of workflow. Dependency Graphs are now in beta— please reference our announcement blog post for more details.

We are excited to announce that Semgrep Supply Chain now has dataflow reachability coverage for Scala and Swift – users will now be able to see complete reachable and unreachable results in their Supply Chain findings.

With these two languages, we now officially support full dataflow reachability for 10 languages, which reduces noise attributed to false positives by as much as 98%, saving hours of developer time so they can focus on the most impactful security risks.

Read the announcement blog post for more information.

Developers are now able to specify triage reasons (false positive, acceptable risk, and other) in the PR comment flow, and AppSec teams can now filter findings based on these reasons in the Semgrep UI.

Developers will be able to access the following PR commands in Github, and all instructions will be clearly provided to developers as part of the PR comment:

• /fp <comment> For triaging a finding to ignored with the triage reason "false positive"

• /ar <comment> For triaging a finding to ignored with the reason "acceptable risk"

• /other <comment> For triaging a finding to ignored without any specific reason "No triage reason"

  • Note: These are the same as the previous /semgrep ignore functionality

• /open To re-open a finding

  • Note: This is the same as the previous /semgrep open functionality

• /remember <comment> For adding Assistant memories.

  • Note: This is the same as the previous /semgrep remember functionality

Please note that all previous commands are still supported for backwards compatibility. For example: previous commands /semgrep ignore , /semgrep open , /semgrep remember will continue to be available, and developers may continue to use these commands.

Support is currently limited to Github, but is coming soon for Gitlab customers!

Customers will now be able to see a "Teams" filter on the reporting page under "Filters". There is a new RBAC setting (on by default) that only shows users reporting data from the teams that they are part of, and a new multi-select filter allows users to select which of their teams to include.

Admins will of course have access to all teams.

Happy scanning!

Kotlin in your codebase now gets reachability analysis with Semgrep Supply Chain. An addition to our coverage driven by partnership with our customers and users, Kotlin becomes the eighth language to receive reachability on our supply chain platform.

Read the announcement blog post for more information.