Semgrep Product Updates

The playground/editor has some shiny new examples/templates that should make it much easier for users to get started with rule-writing. Here are the key changes:

• Example/template rules are now categorized

• Each example has an explanation of what patterns are being matched with links to relevant documentation

• Example rules are more "real world" and better showcase the common use cases for rules

• Customers with secrets enabled will now will see an additional property for HTTP validation (learn more about custom secrets rules)

  

Happy rule-writing!

Customers can now write their own rules for Semgrep Secrets! These rules can detect and validate secrets associated with internal services, services with custom subdomains, or services not yet supported by Semgrep.

To learn more, read the announcement post where we go through an example of how easy it is to write a custom secrets rule and add it to a Semgrep policy.

Note that Semgrep Secrets supports validation out-of-the-box and comes with validator rules for many common services - this update allows users to write their own custom validator rules for internal services, services with custom subdomains, etc.

We're happy to announce that all Semgrep Code scans will now use Pro Engine (cross-function analysis + Pro-only languages).

This improved analysis and coverage comes with no performance/speed cost, which is why we're making it the default scan type! You may notice new findings after your next scan due to the increased scope of analysis.

Since all scans now run with cross-function analysis, the "Pro Engine" toggle in settings is now a toggle for cross-file analysis (which is still optional due to the potential impact on scan speeds):

Users can now scan for valid secrets in their repo's git history! This functionality is off by default, so users will have to toggle it on in the settings menu or run semgrep ci with --historical-secrets.

A few things to note:

• Historical scanning can be slow with large repos.

• Findings from historical scans will not be automatically be marked as fixed. Currently these findings can only exist in two states: Open or Ignored.

Please don't hesitate to share any feedback with your account team!

We are excited to announce the General Availability of Swift support in Semgrep Code!

This means that Swift now meets the strict syntax and parse-rate requirements for GA status with our Pro Engine. This release includes 57 Pro rules covering a broad range of vulnerability classes - as usual, we'll continuously monitor and update them to ensure they meet our standards for accuracy and comprehensiveness.

Happy coding!

After a little over a year in open beta, Semgrep Assistant is now GA!

Semgrep Assistant is free for all customers, and uses AI to greatly speed up existing workflows across prioritization, triage, and remediation. New features include Assistant generated custom rules and Priority Inbox - to learn more about these capabilities read the blog post.

Semgrep Assistant is super easy to set up - just go into settings and turn it on (your developers will appreciate the additional context):

A new set of rules for Elixir and the Phoenix framework have just been released, covering a broad range of security and correctness issues.

These rules can be found in the registry, and a subset of them (medium/high confidence rules) are available via the p/elixir ruleset for easy access.
To use them, users must be logged in and use the Pro engine via the --pro option!

Many thanks to Holden Oullette (maintainer of Sobelow) for helping us ship this update!

We're excited to announce that Semgrep Supply Chain now has lockfile-only support for Swift and the official Swift Package Manager!

Our future roadmap for the ecosystem includes reachability and the addition of CocoaPods as a supported package manager.

Users will need a Package.resolved in their repository for us to successfully parse all their dependencies. Official documentation on how users can generate one can be found here.

Semgrep Code now has cross-file support for Python! This includes 100+ Pro rules focusing on common web vulnerabilities, with coverage for Flask and several extensions like Flask-SQLAlchemy, Flask-WTForms, and more. Django and FastAPI coverage is coming soon!

The rules are in p/default and you should start to see new results in your next scan. If you'd like to see results on a local scan first, run $ semgrep login && semgrep ci --pro

Please don't hesitate to share any feedback you have on the results with your account team or one of our product managers!

We’re extremely excited to launch GA support for C and C++ in Semgrep Code! Our Pro Engine scans C/C++ projects in minutes, and doesn't require a build or compile step. To see all of the new Pro rules for C/C++, check out the registry.

Note that no changes have been made to C/C++ support in Semgrep OSS - the languages will stay experimental due to constraints with OSS engine capabilities.

If you have any questions regarding coverage or performance in comparison to other SAST solutions that scan C/C++, please reach out to your account team!