releases.shpreview
Semgrep

Semgrep

semgrep.devSecurity
$npx @buildinternet/releases get semgrep
Recently Shipped24 releases · updated Jun 16, 2026

Gosu joined the list of languages with experimental cross-file taint analysis in v1.166.0, joining a growing interfile-capable set.

Pro interfile taint analysis got faster and more accurate. The interfile engine was redesigned in v1.158.0 for an estimated 20–40% speed improvement. Taint config computation now parallelizes across available jobs, and intermediate results serialize to disk to cut redundant recomputation. Cross-file tracking improved for globals, variadic functions, and lambda calls. Nested-function taint tracking landed in v1.162.0; rule validation and parsing now run in parallel across cores (v1.163.0), cutting scan startup time on large rulesets.

JSON rule parsing became ~5× faster. A new hand-written RFC 8259 parser replaced the previous JS-parser-based chain in v1.162.0, dropping parse time on a 382 MB rule pack from ~134s to ~28s.

Language support broadened. PowerShell arrived in beta (v1.155.0), Scala gained a tree-sitter parser (v1.160.0) and Scala 3.4+ trait parameters parse correctly (v1.161.0), PHP support extended to 8.1–8.5 syntax (v1.163.0), Dart gained typed metavariables and function-definition patterns (v1.164.0), and Gosu gained experimental interfile analysis (v1.166.0).

Scan output and validation controls tightened. --max-match-context-size (v1.165.0) caps characters of source code in match output, preventing enormous output from minified JavaScript. The --x-rule-validation=full|core-only|none flag replaced the old --x-no-python-schema-validation, offering finer-grained control over pre-scan rule validation.

Security posture improved in the CLI and platform. The CLI no longer stores API tokens in ~/.semgrep/settings.yml when supplied via SEMGREP_APP_TOKEN (v1.166.0); SCM token transmission to the platform was stopped and URL-embedded credentials are redacted from error messages (v1.162.0). The platform added workflow execution usage to the AI credits dashboard, Jira ticketing for AI-powered detection findings, and a corporate SSO login prompt for organizations with SSO configured.

The MCP server gained branch-scoped filtering. The semgrep_findings tool added a refs parameter for branch-scoped queries and made autotriage_verdict optional; DNS rebinding protection was also added.

AI-generated summaries may contain mistakes.

Sources

Latest releases

See all releases

Activity

135 releases4d interval8/mo
Mon
Wed
Fri
JulAugSepOctNovDecJanFebMarAprMayJunJul
Less
More