Semgrep Product Updates

We’re excited to announce revamped reporting capabilities in Semgrep, which bring  increased levels of clarity to your production backlog, developer engagement levels, and overall security posture. Along with recently released views of secure guardrails adoption, these new capabilities give AppSec teams more visibility than ever before into the security metrics that matter for their teams.

Check out the docs or read the announcement blog post.

We’ve supercharged Semgrep Code’s Python support with new, framework-specific analysis capabilities. The engine now tracks implicit data flows in popular frameworks like Django, FastAPI, and Flask, providing accurate detection of impactful security issues (OWASP Top Ten) for nearly 100 common Python libraries.

For most SAST products, framework coverage starts and ends with rule support. Semgrep Code now has framework-specific analysis capabilities built into the engine, meaning it can reason about Python source code in the context of specific frameworks. This ensures that implicit flows are captured and analyzed effectively.

As a result, benchmarks show an 84% true positive rate for our updated Python support. For benchmark details, or to learn more about our new framework coverage in Python, read the announcement blog!

We've launched SCM support for Azure Devops Cloud (ADOC) and Bitbucket Data Center (BBDC)!

Users can now self-serve these SCMs by navigating to Settings > SCM and clicking the corresponding button. Users can also test the connection to ensure it has been set up correctly.

What features are supported?

• PR Comments (Semgrep Code)

  • We’ve introduced Semgrep Code PR comments for both Azure DevOps Cloud and Bitbucket Data Center

  • This includes both inline comments and unanchored comments for individual and grouped findings, respectively.

• PR Comments (Semgrep Supply Chain - license violations)

  • These are now available for both Azure DevOps and Bitbucket Data Center, ensuring developers will always use compliant dependencies.

• Hyperlinks in the findings UI

  • Finding hyperlinks for both Azure DevOps and Bitbucket Data Center work across all parts of the findings UI (commit URL, branch URL, line of code URL, etc.).

  • The findings experience for both ADOC and BBDC are now at parity with other supported SCMs.

Semgrep’s updated Jira integration brings AI-generated remediation guidance directly to developers in Jira tickets. Additionally, Semgrep scans can now automatically trigger ticket creation for high-priority issues, reducing manual workload for vulnerability tracking and triage.

Check out the docs or read the announcement blog post.

You can now sort projects by name and last scan time on the projects page. This gives teams more visibility into scans and coverage across repositories (particularly for organizations using Semgrep managed scanning) so they can better troubleshoot failing scans or just get an overview of scan cadence.

Note that scans that were never completed currently appear before the latest scans - in a future update these projects will at the bottom of the list.

You can now roll out Semgrep at ludicrous speed without any manual, per-repo CI/CD configuration. Whether you have one repo or thousands of repos, It Just Works.

Semgrep managed scanning lets you add Semgrep to your projects without the need to change existing CI/CD configurations, whether you have one, hundreds, or even tens of thousands of repositories.

Code scans are run on Semgrep AppSec Platform’s infrastructure instead of in your CI/CD infrastructure. So there is no need for you to spend CI minutes or coordinate with other teams to set up scanning.

Once enabled, Semgrep managed scanning automatically runs full scans weekly and on every PR. Semgrep findings presented as PR comments are still available, and determined according to your policy settings for monitor, comment, or blocking modes.

For more, check out the Semgrep managed scanning announcement blog post.

We've done a lot this quarter to streamline the Supply Chain UI! These changes greatly improve the ease of orchestration of our SCA solution and platform overall.

All three of our products are powered by the same core analysis engine, and as we continue to unify and consolidate things on the front-end it should be much easier for anyone familiar with other parts of the Semgrep AppSec Platform to quickly get their bearings with our best-in-breed supply chain tool.

The new interface brings many of the core SAST capabilities and workflows that our users love to Semgrep Supply Chain:

• Group vulnerabilities by rule

• Bulk triage of findings

• More comprehensive filtering

• One unified API for findings across Semgrep Code and Semgrep Supply Chain

Shipping RBAC that works at the repository level was a priority for us this year, and we’re excited to announce that project-level RBAC is now in public-beta!

For organizations with thousands of developers and repositories, the importance of role based access controls goes beyond compliance - security engineers only want to see findings for the repositories and microservices they are responsible for, and access controls that work at the project level make this possible.

For more information, read our documentation on the new teams view in our access controls menu (found under settings).

We're excited to announce the public beta of Semgrep Code Search! Code Search lets users can run a single rule across hundreds of code repositories in seconds, making vulnerability detection and rule iteration lightning-fast. Since Semgrep rules are already easy to understand and write, the instant feedback provided by Code Search gives users superpowers when it comes to rule evaluation, rule writing, and vulnerability hunting.

To learn more about how to use Code Search (or how it works on the back-end), read the announcement blog post!

Important Notes:

• Semgrep Code Search is only currently available for repos hosted on Github.com

• Semgrep Code Search is only available for current Code customers or users with an active trial license.

Structure Mode is a brand new way to write Semgrep rules that guides users via UI as opposed to requiring them to write YAML. Structure mode makes rule-writing easier for inexperienced rule-writers, but it also adds cool new features for seasoned rule-writers that should speed up their workflows as well.

Structure Mode replaces the now deprecated "Simple Mode", as it offers more robust functionality paired with an intuitive interface that's just as easy (if not easier) to understand than Simple Mode.

To learn more about Structure Mode, read our blog post which outlines all of the shiny new capabilities in detail.