Semgrep Release Notes

Added a prompt for users to log in with their corporate SSO credentials instead of their GitHub or GitLab credentials when their organization has corporate SSO configured.
Added workflow execution usage information to the AI credits dashboard so users can see workflow runs alongside scans, triage actions, and fixes.
Added the ability to download contributor usage information from Settings > Usage & Billing.
Added AI-powered detection findings to the findings API endpoint (GET /api/v1/deployments/{slug}/findings).
Added Jira ticketing support for AI-powered detection findings.
Added the ability to manually run full scans for the non-default or non-primary branches using Semgrep Managed Scans.
Added the ability to retry Semgrep Managed Scans that failed or didn't complete.
Semgrep Guardian: added support for a Supply Chain hook.

Changed

The interfile analysis engine has been redesigned to improve performance. These improvements change how findings are generated, which might result in additional true positives and fewer false positives.
Contributor seat limit alerts now explain that scans continue as a courtesy when an organization exceeds its seat limit, replacing the previous inaccurate "scans will be paused" text.
Removed the Fixed in time filter option from all Findings pages.
The Projects list now includes Semgrep Managed Scans that are pending or have never started scanning.
Semgrep Playground is now mobile-friendly.

Fixed

Fixed an issue where invalid configurations caused the Integrations page to not load. Semgrep now displays a meaningful error and allows users to edit or delete the configuration.
Fixed an issue where Semgrep did not save changes when Gradle or Maven registry integration credentials were updated.
Fixed an issue where the Settings > Usage panel incorrectly showed a subset of seats when a deployment had multiple active licenses for the same product instead of the correct combined total.
Fixed an issue where the Remove user from organization button was available to Managers, allowing them to remove Admin users.
Fixed an issue where read-only users could upload CLI scan results and overwrite findings by setting SEMGREP_REPO_DISPLAY_NAME. CLI scan endpoints now enforce scan permissions.
Fixed an issue where CSV findings exports failed with IndexError: list index out of range for some users when a paginated batch returned an empty list.
Fixed the repos filter on the findings and issues API endpoints to use case-insensitive matching.
Fixed an issue where the provisionally ignored filter for the public findings API endpoints returned all findings.
Fixed an issue where the Jira integration failed to load for deployments that saved their Jira configuration before support for AI-detection findings was added.
Fixed an issue with the SARIF trace output for taint mode so that it now uses the correct file URI and includes the sink call trace in codeFlows.
IDE: fixed an issue where network errors occurring during token verification resulted in saved tokens being cleared.
Minor UI fixes.

💻 Semgrep Code

Added

The finding details page now displays the reason why a finding was ignored at the top. Users no longer need to go to the Activity section to see this information.
Added the findings count and a link to view findings to the AI-powered detection scan progress timeline.
Added AI-powered detection findings to the Findings CSV export file.
Improved support for variadic functions in taint-tracking mode.
Scala: added tree-sitter parser to improve parsing accuracy.

Fixed

Fixed an issue where the AI-powered detection scan time estimate was overinflated.
Fixed an issue where Autofix wasn't able to create a GitHub pull request due to the Semgrep GitHub app requesting insufficient permissions.
Fixed an issue where Autofix features were unavailable to organization members, as well as admins.
Fixed an issue where Autofix displayed a suggested fix for Supply Chain findings. Autofix is only applicable to Code findings.
Fixed an issue where Autofix errored out when attempting to open pull requests for Azure DevOps repositories. Semgrep now rejects these requests since Azure DevOps isn't supported.
Fixed an issue where Autofix errored out when handling requests involving archived repositories. Semgrep now rejects these requests and displays an error message accordingly.
Fixed an issue where some GitHub Enterprise users stopped seeing Autofix pull requests.
Fixed an issue where provisionally ignored findings couldn't be triaged without a comment provided.
Fixed Autofix pull request descriptions so that they properly display the user's GitHub username.
Fixed an issue with GitHub App permission checks, which had been using app manifest permissions, or what the app declares, instead of installation-level permissions, or what was actually granted, causing the Autofix button to be incorrectly hidden or shown.
Fixed performance issues during the parsing of Semgrep rules containing non-BMP Unicode characters
Scala:

Fixed an issue with trait parameters in versions 3.4.x and later so that they are now parsed correctly.

Fixed an issue where Semgrep failed silently instead of returning an error when target file discovery fails.

⛓️ Semgrep Supply Chain

Added

Added reachability coverage for Rust.
Supply Chain advisories now have dedicated detail pages, replacing the previously used drawers.
Added dependency path information to the SBOM exports and the Issues API endpoint.

Fixed

Fixed an issue with legacy Supply Chain findings URLs that resulted in the findings page showing zero results.
Fixed the Dependencies filter on the Findings page so that exact matches rank above all other matches.
Fixed the advisory ID search so that it is case-insensitive.
Fixed an issue where the Autofix API endpoints accepted pull requests for issues that were already fixed, removed, or ignored.

🤖 Semgrep Multimodal

Added

Added IAM role-assumption authentication mode for AWS Bedrock BYOK. In addition to static access keys, users can now configure an IAM role ARN and grant Semgrep cross-account access using the generated external ID.

Changed

Findings of critical or high severity with high or medium confidence identified during diff-aware scans are now included in autotriage analysis.
The memory creation dialog now prompts users to create specific, named memories, such as "ConfigService is an internal backend service" rather than generic, conditional memories.

Fixed

Fixed an issue with pull request comment URL construction for tag-scoped and deployment-wide memories that previously resulted in no pull request comments being posted.