releases.shpreview
Home/Semgrep
Semgrep

Semgrep

OverviewReleasesSources

Release v1.165.0

Semgrep · v1.165.0

1.165.0 - 2026-06-03

### Added
  • Added --max-match-context-size option to limit the number of characters of source code included as context for each match in the output. This prevents matches in minified files (e.g., minified JavaScript where the entire file is a single line) from producing enormous output Set to 0 for unlimited, which is the default value. (ENGINE-2117)
### Changed
  • Replaced --x-no-python-schema-validation with a value-taking --x-rule-validation=full|core-only|none flag. The default (full) preserves existing Python rule validation behavior; core-only matches the old flag's semantics (disables Python rule validation and uses semgrep-core RPC validation only); none skips both pre-validation passes, surfacing rule errors at scan-time. --x-no-python-schema-validation is still accepted as a no-op with a deprecation warning, and will be removed in a future release. (x-rule-validation)
  • Python: Updated Python grammar (LANG-201)
### Fixed
  • Added bit shift operations to metavar comparison in addition to already present standard arithmetic operators and logical bit ops. (ENGINE-2448)
  • Reduce intermittent validation_error results on HTTP secret validators (Facebook, Slack, Stripe, Google, Cloudflare, etc.) by retrying transient network failures, mirroring the retry behavior already present for AWS validators. (SCRT-965)

Release v1.164.0

Semgrep · v1.164.0

1.164.0 - 2026-05-26

### Added
  • Dart: typed metavariables ($X as T) and metavariable-type, metavariable binding inside string interpolations, and function-definition patterns that match Dart function definitions. (gh-11678)
### Changed
  • The default memory limit for Pro interfile scans on Linux now adapts to the container's cgroup memory limit (90% of it) instead of the previous fixed 5 GiB, with an 8 GiB fallback when no cgroup limit is detected. (ENGINE-2568)
  • Lower the glibc contraint from >=2.35 to >=2.34, allowing users on distros that ship glibc 2.34 (e.g RHEL 9 & AL2023) to install the semgrep wheel. (gh-11622)
### Fixed

  • Baseline diff scans (semgrep ci and --baseline-commit) no longer treat every finding on a file as newly introduced when rule(s) failed during the baseline run.

    Per-rule failures (for example a timeout for a single rule) on baseline analysis now hide only that rule's matches on that file from the "new vs baseline" comparison. Other rules on the same file are still taken in comparison for the "new vs baseline" comparison.

    Per-file, rule-independent failures now hide all findings on that file from the "new vs baseline" comparison. (LANG-515)

  • Fixed a yarn.lock parse error on Yarn Berry entries written in YAML explicit-key form. Affected lockfiles previously failed to parse. (SC-3479)

  • The (beta) SBT resolver with --allow-local-builds now correctly identifies dependencies as part of the Maven ecosystem. (SC-3522)

  • Fix --sarif-output and --sarif causing nosemgrep-suppressed findings to be reported in CLI scan output and to block scans. Suppressed findings are now correctly excluded from terminal text output, the scan-summary count, and the CLI's exit code. (engine-1824)

  • Fixed a bug that could cause unreliable target filtering in parallel scans. (gh-6313)

  • Dart: improved parser fidelity for Dart 3 grammar features and routed pattern parsing for statements beginning with await, rethrow, and other statement keywords. Eliminates a large class of PartialParsing errors on real-world pub.dev packages. (gh-11678)

### Infra/Release Changes
  • pro: macOS: Fixed dynamic library lookup for semgrep-core-proprietary so the binary works when semgrep install-semgrep-pro is invoked, and semgrep is installed via Homebrew. (pro-binary-homebrew)
  • Pro: Added optional <case>.named_ast.expect golden files for tests/intrafile/maturity/ fixtures, exercised by Unit_maturity_named_asts. (LANG-287)

Release v1.163.0

Semgrep · v1.163.0

1.163.0 - 2026-05-13

### Added
  • Updated PHP target parsing to support grammar changes from PHP 8.1-8.5 (LANG-380)
### Changed
  • Improved semgrep ci startup time with App-provided rules by avoiding duplicate semgrep-core rule validation during CLI rule loading while preserving config-style failures for invalid rules. (ci-rule-validation-startup)
  • Semgrep now validates dependency aware rules only on the core side, improving startup time (validate-skip-dep-aware)
  • Rule validation now runs in parallel across cores on large rulesets, reducing scan startup time. (gh-6279)
  • Rule parsing now runs in parallel across shards on multi-core machines, reducing scan startup time on large rulesets. (gh-6281)
### Fixed
  • Improved name resolution for fully-qualified names in Java, Kotlin, and Scala. This could lead to fewer false positives and more true positives when the code under analysis uses fully-qualified names instead of imports. (java-qualified)
  • Optimised rule prefiltering and parsing to improve engine startup time. (rule-parse-cache)
  • Reduced peak memory usage when scanning repos with large rulesets. (rules-json-compact)
  • Fixed transitive reachability rule parsing performance: the temporary rule file written for each transitive-reachability RPC call is JSON content (json.dumps([rule.raw])) but was being created with a .yaml suffix. OCaml's Parse_rule.parse_file dispatches purely on file extension, so this routed every TR rule through Yaml_to_generic.parse_yaml_file (the slow YAML path) instead of Fast_json.parse_program (the new hand-written RFC 8259 parser). Switching the suffix to .json lines the suffix up with the actual content and lets every TR rule parse take the fast path. (tr-json-suffix)
  • Pro: Fixed a naming resolution bug in Java. (LANG-274)

April 2026

Semgrep Release Notes

The following updates were made to Semgrep in April 2026.

🌐 Semgrep AppSec Platform

Added

  • Added a prompt for users to log in with their corporate SSO credentials instead of their GitHub or GitLab credentials when their organization has corporate SSO configured.

  • Added workflow execution usage information to the AI credits dashboard so users can see workflow runs alongside scans, triage actions, and fixes.

  • Added the ability to download contributor usage information from Settings > Usage & Billing.

  • Added AI-powered detection findings to the findings API endpoint (GET /api/v1/deployments/{slug}/findings).

  • Added Jira ticketing support for AI-powered detection findings.

  • Added the ability to manually run full scans for the non-default or non-primary branches using Semgrep Managed Scans.

  • Added the ability to retry Semgrep Managed Scans that failed or didn't complete.

  • Semgrep Guardian: added support for a Supply Chain hook.

Changed

  • The interfile analysis engine has been redesigned to improve performance. These improvements change how findings are generated, which might result in additional true positives and fewer false positives.

  • Contributor seat limit alerts now explain that scans continue as a courtesy when an organization exceeds its seat limit, replacing the previous inaccurate "scans will be paused" text.

  • Removed the Fixed in time filter option from all Findings pages.

  • The Projects list now includes Semgrep Managed Scans that are pending or have never started scanning.

  • Semgrep Playground is now mobile-friendly.

Fixed

  • Fixed an issue where invalid configurations caused the Integrations page to not load. Semgrep now displays a meaningful error and allows users to edit or delete the configuration.

  • Fixed an issue where Semgrep did not save changes when Gradle or Maven registry integration credentials were updated.

  • Fixed an issue where the Settings > Usage panel incorrectly showed a subset of seats when a deployment had multiple active licenses for the same product instead of the correct combined total.

  • Fixed an issue where the Remove user from organization button was available to Managers, allowing them to remove Admin users.

  • Fixed an issue where read-only users could upload CLI scan results and overwrite findings by setting SEMGREP_REPO_DISPLAY_NAME. CLI scan endpoints now enforce scan permissions.

  • Fixed an issue where CSV findings exports failed with IndexError: list index out of range for some users when a paginated batch returned an empty list.

  • Fixed the repos filter on the findings and issues API endpoints to use case-insensitive matching.

  • Fixed an issue where the provisionally ignored filter for the public findings API endpoints returned all findings.

  • Fixed an issue where the Jira integration failed to load for deployments that saved their Jira configuration before support for AI-detection findings was added.

  • Fixed an issue with the SARIF trace output for taint mode so that it now uses the correct file URI and includes the sink call trace in codeFlows.

  • IDE: fixed an issue where network errors occurring during token verification resulted in saved tokens being cleared.

  • Minor UI fixes.

💻 Semgrep Code

Added

  • The finding details page now displays the reason why a finding was ignored at the top. Users no longer need to go to the Activity section to see this information.

  • Added the findings count and a link to view findings to the AI-powered detection scan progress timeline.

  • Added AI-powered detection findings to the Findings CSV export file.

  • Improved support for variadic functions in taint-tracking mode.

  • Scala: added tree-sitter parser to improve parsing accuracy.

Fixed

  • Fixed an issue where the AI-powered detection scan time estimate was overinflated.

  • Fixed an issue where Autofix wasn't able to create a GitHub pull request due to the Semgrep GitHub app requesting insufficient permissions.

  • Fixed an issue where Autofix features were unavailable to organization members, as well as admins.

  • Fixed an issue where Autofix displayed a suggested fix for Supply Chain findings. Autofix is only applicable to Code findings.

  • Fixed an issue where Autofix errored out when attempting to open pull requests for Azure DevOps repositories. Semgrep now rejects these requests since Azure DevOps isn't supported.

  • Fixed an issue where Autofix errored out when handling requests involving archived repositories. Semgrep now rejects these requests and displays an error message accordingly.

  • Fixed an issue where some GitHub Enterprise users stopped seeing Autofix pull requests.

  • Fixed an issue where provisionally ignored findings couldn't be triaged without a comment provided.

  • Fixed Autofix pull request descriptions so that they properly display the user's GitHub username.

  • Fixed an issue with GitHub App permission checks, which had been using app manifest permissions, or what the app declares, instead of installation-level permissions, or what was actually granted, causing the Autofix button to be incorrectly hidden or shown.

  • Fixed performance issues during the parsing of Semgrep rules containing non-BMP Unicode characters

  • Scala:

Fixed an issue with trait parameters in versions 3.4.x and later so that they are now parsed correctly.

  • Fixed an issue where Semgrep failed silently instead of returning an error when target file discovery fails.

⛓️ Semgrep Supply Chain

Added

  • Added reachability coverage for Rust.

  • Supply Chain advisories now have dedicated detail pages, replacing the previously used drawers.

  • Added dependency path information to the SBOM exports and the Issues API endpoint.

Fixed

  • Fixed an issue with legacy Supply Chain findings URLs that resulted in the findings page showing zero results.

  • Fixed the Dependencies filter on the Findings page so that exact matches rank above all other matches.

  • Fixed the advisory ID search so that it is case-insensitive.

  • Fixed an issue where the Autofix API endpoints accepted pull requests for issues that were already fixed, removed, or ignored.

🤖 Semgrep Multimodal

Added
  • Added IAM role-assumption authentication mode for AWS Bedrock BYOK. In addition to static access keys, users can now configure an IAM role ARN and grant Semgrep cross-account access using the generated external ID.
Changed

  • Findings of critical or high severity with high or medium confidence identified during diff-aware scans are now included in autotriage analysis.

  • The memory creation dialog now prompts users to create specific, named memories, such as "ConfigService is an internal backend service" rather than generic, conditional memories.

Fixed
  • Fixed an issue with pull request comment URL construction for tag-scoped and deployment-wide memories that previously resulted in no pull request comments being posted.

🔧 Semgrep Community Edition

The following versions of Semgrep Community Edition were released in April 2026:

**1.161.0

Release v1.162.0

Semgrep · v1.162.0

1.162.0 - 2026-05-07

### Added
  • pro: Improved support for tracking taint through nested functions. (LANG-95)
  • Added indexes to file targeting to improve performance of semgrepignore matching. (gh-27830)
### Changed
  • Faster JSON rule parsing: rule files in JSON format now parse roughly 5x faster end-to-end (measured ~134s → ~28s on a 382MB rule pack) by going through a new hand-written RFC 8259 parser instead of the previous JS-parser-based chain. (ENGINE-2725)
  • Scala projects are now identified for Supply Chain only by their root build.sbt, rather than treating each build.sbt as a different subproject. (SC-3293)
  • MCP semgrep_findings tool: added a refs parameter to filter findings by branch (defaults to the primary branch when not specified), and made autotriage_verdict optional so that findings without an AI verdict can also be returned. (engine-2723)
### Fixed
  • jsonnet: import and importstr now reject paths that resolve outside the rule file's parent directory. (ENGINE-2727)
  • semgrep ci: redact URL-embedded credentials and Authorization header values from git error messages and from the captured tracebacks sent to the fail-open telemetry endpoint, preventing leaks of secrets like CI_JOB_TOKEN from a failed git fetch in GitLab CI. Also closes ENGINE-2731 (raw, unsanitized tracebacks in fail-open telemetry). (ENGINE-2728)
  • semgrep ci no longer transmits SCM tokens to the Semgrep Platform. (ENGINE-2729)
  • semgrep CLI: the on-disk log file (~/.semgrep/semgrep.log or $SEMGREP_LOG_FILE) now respects the requested log level instead of always being written at DEBUG. This narrows the surface for credentials to land on disk via CI runner filesystems or job artifacts; pass --debug to restore the previous behavior. (ENGINE-2730)
  • jsonnet rules: bound recursion in both rule loading and evaluation so a malicious rule can no longer hang semgrep via mutually-recursive imports or runtime function calls that recurse forever. (ENGINE-2727-dos)
  • Scala: Merging consecutive top-level package declarations into a single package path. (LANG-374)
  • Fixed PHP parse errors during highly-parallel parsing. (gh-6197)
  • Fixed Scala parse errors during highly-parallel parsing. (gh-6198)
  • Surface a clearer error from the MCP scan tool when metrics is off and auto config is specified (gh-11649)
  • Fixed unknown option error when spawning the MCP daemon (gh-11660)

Release v1.161.0

Semgrep · v1.161.0

1.161.0 - 2026-04-22

### Added
  • Scala 3.4+ trait parameters are now parsed correctly. (lang-73)
### Fixed
  • Semgrep's HTTP requests no longer log URLs above the debug level; full request details remain available when running with SEMGREP_LOG_SRCS=cohttp.client. (ENGINE-2712)

Release v1.160.0

Semgrep · v1.160.0

1.160.0 - 2026-04-16

### Added
  • Scala: Added tree-sitter parser for improved parsing accuracy with pfff fallback. (LANG-255)
  • pro: taint: Improved support for variadic functions (LANG-375)
### Fixed
  • Fixed performance issues during parsing Semgrep rules containing emoji or other non-BMP Unicode characters. (gh-6070)
  • Emit a warning when semgrep-core rule validation fails and falls back to JSON schema validation, alongside details of the failure. (gh-6071)

Release v1.159.0

Semgrep · v1.159.0

1.159.0 - 2026-04-10

### Fixed
  • Semgrep now reports an error instead of silently returning zero findings when target file discovery fails (e.g., due to a git ls-files failure). (ENGINE-2626)
Last Checked
1h ago
Category
Security
Tags
code-analysislintingsast
Accounts
semgrep@semgrepsemgrep
Tracking since Feb 9, 2024
.json·.md·.atom