releases.shpreview
Semgrep/Semgrep Release Notes/April 2026

April 2026

May 12, 2026Semgrep Release NotesView original ↗

The following updates were made to Semgrep in April 2026.

🌐 Semgrep AppSec Platform

Added

  • Added a prompt for users to log in with their corporate SSO credentials instead of their GitHub or GitLab credentials when their organization has corporate SSO configured.

  • Added workflow execution usage information to the AI credits dashboard so users can see workflow runs alongside scans, triage actions, and fixes.

  • Added the ability to download contributor usage information from Settings > Usage & Billing.

  • Added AI-powered detection findings to the findings API endpoint (GET /api/v1/deployments/{slug}/findings).

  • Added Jira ticketing support for AI-powered detection findings.

  • Added the ability to manually run full scans for the non-default or non-primary branches using Semgrep Managed Scans.

  • Added the ability to retry Semgrep Managed Scans that failed or didn't complete.

  • Semgrep Guardian: added support for a Supply Chain hook.

Changed

  • The interfile analysis engine has been redesigned to improve performance. These improvements change how findings are generated, which might result in additional true positives and fewer false positives.

  • Contributor seat limit alerts now explain that scans continue as a courtesy when an organization exceeds its seat limit, replacing the previous inaccurate "scans will be paused" text.

  • Removed the Fixed in time filter option from all Findings pages.

  • The Projects list now includes Semgrep Managed Scans that are pending or have never started scanning.

  • Semgrep Playground is now mobile-friendly.

Fixed

  • Fixed an issue where invalid configurations caused the Integrations page to not load. Semgrep now displays a meaningful error and allows users to edit or delete the configuration.

  • Fixed an issue where Semgrep did not save changes when Gradle or Maven registry integration credentials were updated.

  • Fixed an issue where the Settings > Usage panel incorrectly showed a subset of seats when a deployment had multiple active licenses for the same product instead of the correct combined total.

  • Fixed an issue where the Remove user from organization button was available to Managers, allowing them to remove Admin users.

  • Fixed an issue where read-only users could upload CLI scan results and overwrite findings by setting SEMGREP_REPO_DISPLAY_NAME. CLI scan endpoints now enforce scan permissions.

  • Fixed an issue where CSV findings exports failed with IndexError: list index out of range for some users when a paginated batch returned an empty list.

  • Fixed the repos filter on the findings and issues API endpoints to use case-insensitive matching.

  • Fixed an issue where the provisionally ignored filter for the public findings API endpoints returned all findings.

  • Fixed an issue where the Jira integration failed to load for deployments that saved their Jira configuration before support for AI-detection findings was added.

  • Fixed an issue with the SARIF trace output for taint mode so that it now uses the correct file URI and includes the sink call trace in codeFlows.

  • IDE: fixed an issue where network errors occurring during token verification resulted in saved tokens being cleared.

  • Minor UI fixes.

💻 Semgrep Code

Added

  • The finding details page now displays the reason why a finding was ignored at the top. Users no longer need to go to the Activity section to see this information.

  • Added the findings count and a link to view findings to the AI-powered detection scan progress timeline.

  • Added AI-powered detection findings to the Findings CSV export file.

  • Improved support for variadic functions in taint-tracking mode.

  • Scala: added tree-sitter parser to improve parsing accuracy.

Fixed

  • Fixed an issue where the AI-powered detection scan time estimate was overinflated.

  • Fixed an issue where Autofix wasn't able to create a GitHub pull request due to the Semgrep GitHub app requesting insufficient permissions.

  • Fixed an issue where Autofix features were unavailable to organization members, as well as admins.

  • Fixed an issue where Autofix displayed a suggested fix for Supply Chain findings. Autofix is only applicable to Code findings.

  • Fixed an issue where Autofix errored out when attempting to open pull requests for Azure DevOps repositories. Semgrep now rejects these requests since Azure DevOps isn't supported.

  • Fixed an issue where Autofix errored out when handling requests involving archived repositories. Semgrep now rejects these requests and displays an error message accordingly.

  • Fixed an issue where some GitHub Enterprise users stopped seeing Autofix pull requests.

  • Fixed an issue where provisionally ignored findings couldn't be triaged without a comment provided.

  • Fixed Autofix pull request descriptions so that they properly display the user's GitHub username.

  • Fixed an issue with GitHub App permission checks, which had been using app manifest permissions, or what the app declares, instead of installation-level permissions, or what was actually granted, causing the Autofix button to be incorrectly hidden or shown.

  • Fixed performance issues during the parsing of Semgrep rules containing non-BMP Unicode characters

  • Scala:

Fixed an issue with trait parameters in versions 3.4.x and later so that they are now parsed correctly.

  • Fixed an issue where Semgrep failed silently instead of returning an error when target file discovery fails.

⛓️ Semgrep Supply Chain

Added

  • Added reachability coverage for Rust.

  • Supply Chain advisories now have dedicated detail pages, replacing the previously used drawers.

  • Added dependency path information to the SBOM exports and the Issues API endpoint.

Fixed

  • Fixed an issue with legacy Supply Chain findings URLs that resulted in the findings page showing zero results.

  • Fixed the Dependencies filter on the Findings page so that exact matches rank above all other matches.

  • Fixed the advisory ID search so that it is case-insensitive.

  • Fixed an issue where the Autofix API endpoints accepted pull requests for issues that were already fixed, removed, or ignored.

🤖 Semgrep Multimodal

Added

  • Added IAM role-assumption authentication mode for AWS Bedrock BYOK. In addition to static access keys, users can now configure an IAM role ARN and grant Semgrep cross-account access using the generated external ID.

Changed

  • Findings of critical or high severity with high or medium confidence identified during diff-aware scans are now included in autotriage analysis.

  • The memory creation dialog now prompts users to create specific, named memories, such as "ConfigService is an internal backend service" rather than generic, conditional memories.

Fixed

  • Fixed an issue with pull request comment URL construction for tag-scoped and deployment-wide memories that previously resulted in no pull request comments being posted.

🔧 Semgrep Community Edition

The following versions of Semgrep Community Edition were released in April 2026:

**1.161.0

Fetched May 13, 2026