🌐 Semgrep AppSec Platform​

Added​

• AI-powered detection scanning is now available as a public beta feature. Organizations using Semgrep Multimodal have AI Detection enabled by default.
• Click to Fix has been renamed to Autofix across the product. Autofix is now in public beta, providing automatic, AI-generated pull requests (PRs) for Code and Supply Chain findings.
• Semgrep is now available as a Cursor and Claude Code plugin, providing automatic security scanning for Code, Supply Chain, and Secrets on every file.
• Added v2 deployment APIs to list and bulk create, update, or delete rule scopes, so you can manage which projects or tags a rule applies to, with optional filtering by project or tag.
• Added a File path filter on findings pages for Code, Supply Chain, and Secrets, with the matching path highlighted in the list.
• Added Duplicate as a triage reason for findings when multiple rules surface the same issue or when the same issue is tracked elsewhere.
• Added SCIM directory provisioning controls in Admin settings and v1 APIs, with WorkOS-based setup, directory status visibility, and disconnect support for enabled SSO organizations.
• Added v1 APIs to link findings to an existing ticket URL or remove linked tickets when a ticketing integration is configured. Linking a ticket replaces any existing ticket associated with the selected findings.
• Exception request activity with the fields created, approved, and rejected now appears in the finding timeline for better audit visibility.

Changed​

• On the Rules & Policies > Policies page, the Projects scanning column now replaces the previous global on/off toggle. You can scope each rule to all projects, selected projects or tags, all projects with exceptions, or disable the rule for all projects. A drawer provides project search, filters, and bulk selection.
• Billing & Usage updates:
  • When a deployment enforces AI credit limits, Semgrep AppSec Platform now shows alerts for low or exhausted credits and disables AI-powered detection scans, Multimodal, AI-powered triage, and Autofix with clear tooltips. If enforcement is off, these credit indicators stay hidden.
  • Contributor counts reflect the last 90 days of activity, instead of 30, with aligned usage cards and a loading state for AI credits.
  • When AI usage blocking is enabled for a deployment, AI-powered triage, Autofix, and AI-powered detection scans are checked before they run.
  • Sandbox and proof-of-value deployments can be provisioned with no end date for subscriptions or AI credit
  • Billing timezones default to UTC for new organizations on usage-based billing.
  • Several improvements to the AI Billing section in the admin panel.
• The Findings page now loads code snippets after the main finding details. Slow or unavailable source code managers are less likely to block the page or cause timeouts.
• Simplified GitHub onboarding by requiring only a single GitHub App installation instead of two. Existing users can now uninstall the public GitHub App if previously installed.
• GitHub Cloud source code manager connections can now be added without requiring GitHub SSO login, and users can connect multiple GitHub organizations.
• Improved member invite emails so invitations clearly require authorization through your login methods.
• Improved exception request approval workflow to combine notes from both the requester and approver into the issue's triage note for better context.
• Package registry integration settings include an option to use the Semgrep Network Broker when a registry is only reachable through your private network.
• Improved load times for the Projects page, Policies registry search, and source code repository sync for large deployments.
• Reset SSO in the admin panel now shows the SSO portal link.
• Organizations without the Enterprise SSO plan entitlement can use SSO settings and provider setup when Semgrep explicitly enables that access for your deployment.

Fixed​

• Fixed minor security vulnerability in SAML login handling, application container run web services, and read-only permissions.
• With RBAC enabled, read-only users can no longer trigger scans from the Semgrep AppSec Platform or API, including Run a new scan and Semgrep Managed Scans.
• Added server-side validation to enforce the 3,000 character limit for triage notes across all API endpoints.
• Fixed findings links across Semgrep products so shared URLs, bookmarks, dashboard shortcuts, and notification links preserve the correct branch and tab context.
• Fixed Settings page scroll behavior so top-level tabs stay visible after load.
• Fixed an issue where invalid webhook configurations would cause the Integrations page to become unusable.
• Fixed an issue where one broken or revoked ticketing connection could prevent all ticketing integrations from loading.
• The Enable Secrets button now links to the correct Settings page.
• Fixed an issue where custom policies with no rules assigned would cause the Policies page to load indefinitely.
• Fixed an issue where the Policies page would crash when rulesets contained soft-deleted rules.
• Fixed an issue where filtering by rule mode on the Code Findings page would break the project filter, causing findings from all projects to appear.
• Fixed Findings page scroll when nested lists were still collapsed.
• Fixed an issue where findings in Reviewing had no action to continue triage. Mark as open in the finding menu sets the finding to Reopened.
• Fixed an issue where OpenID Connect SSO login could fail after recent provider updates that require the iss parameter.
• Fixed an issue where Slack notifications were missing merge request hyperlinks for self-managed GitLab instances with custom domain names.
• Fixed an issue where API errors could incorrectly display the RBAC enablement screen for deployments that already had RBAC enabled.
• Fixed an issue where Azure DevOps Cloud was incorrectly classified as an on-premises source code manager, causing incorrect warnings and blocking setup for valid cloud configurations.
• Fixed an issue where automatically setting up the same repository in multiple Semgrep projects could trigger duplicate PR diff scans. Semgrep now auto-configures diff scans only for the first linked project; additional linked projects continue to receive automatic full scans, and diff scans can still be configured manually.
• Fixed an issue where bulk triage API requests with incorrect field names, such as finding_ids instead of issue_ids, would silently fail instead of returning a clear error message.
• Added validation to reject bulk triage API requests that provide neither issue_ids nor filter criteria, preventing accidental triage of all findings.
• Fixed an issue where bulk ignore required a comment before you could submit when changing provisionally ignored findings to ignored, even though a comment is optional for that action.
• Fixed several minor issues with AI credits billing and usage:
  • AI credits could previously show as zero on Billing & Usage when active credit grants had been in place for a long time.
  • The same AI credits usage could previously be counted more than once for organizations with multiple active licenses.
  • AI credits could previously expire before the subscription ended on some prorated or multi-year plans.

🔁 Semgrep Workflows​

Added​

• Semgrep Workflows (beta) is a new framework for automated code security pipelines across Semgrep Code, Supply Chain, Secrets, and Semgrep Multimodal, with pre-built and custom workflows on Semgrep-managed infrastructure. See Workflows for details.

💻 Semgrep Code​

Added​

• The Code page now shows AI-powered detection findings and rule-based scan findings, with filters to help you view each type separately.

Fixed​

• Fixed finding details so the Rule-defined fix tab appears for rules that define a regex-based fix, not only rules that use a standard fix field.

⛓️ Semgrep Supply Chain​

Added​

• Lockfileless dependency scanning for Java and Kotlin projects is now in public beta. Maven, Gradle, Artifactory, Nexus Cloud, and on-premises source code managers are supported.
• Added an admin-only API to re-run upgrade requirements analysis for Supply Chain findings. Each request can include up to 10 issues.

Changed​

• Supply Chain dependency search includes an Exact match option so you can use strict package-name matching or substring-style matching per filter.
• Added Autofix filters to the Supply Chain findings. Supply Chain Autofix PRs now display detailed PR descriptions.
• Supply Chain finding details show reachability in one place at the top of the page instead of repeating it next to remediation, where it could appear inconsistently.
• Simplified Upgrade guidance filters on Supply Chain findings. Breaking is now a single filter that matches any breaking-change type instead of four separate options.
• Supply Chain AI-powered upgrade guidance is now scheduled faster.
• Disabling Semgrep Multimodal turns off Supply Chain upgrade guidance, so it is not left enabled without model providers; dependency processing also skips starting upgrade-guidance work when no AI providers are configured.
• Supply Chain periodically refreshes cached dependency license metadata from upstream sources so license identifiers stay closer to current public SPDX data.

Fixed​

• Fixed cases where Supply Chain Autofix could select the wrong workflow when the ecosystem sent from the browser did not match the ecosystem on the finding from the scan.
• Fixed an issue where the custom dependency exception modal would not accept version numbers without a patch component, for example 1.19, blocking exceptions for packages that don't follow strict semantic versioning.
• Fixed an issue where searching for dependencies with special characters, like :, in their names would fail with an error.
• Fixed an issue where the Safe upgrade guidance filter would incorrectly include findings with no upgrade guidance available.
• Fixed a security issue in the Supply Chain upgrade requirements API by adding missing authorization checks.
• Fixed a security issue in the Supply Chain dependency path API.

🤖 Semgrep Multimodal​

• Semgrep Assistant is now Semgrep Multimodal. The terminology has been updated throughout the interface to better reflect its AI-powered capabilities.

Fixed​

• Fixed Suggested memories failing to load for memories created from PR triage comments.

🔐 Semgrep Secrets​

No product updates in this release.

📝 Documentation and knowledge base​

Changed​

• The v1 API reference now documents request bodies for POST, PUT, and PATCH operations instead of showing those inputs as query parameters. GET and DELETE behavior in the reference is unchanged.

🔧 OSS Engine​

Added​

• Improved scan performance through compiler-level optimizations, with notable improvements for both diff and full scans.
• Added PowerShell language support (beta), including parsing and pattern matching capabilities.
• Added support for agentic hooks in Windsurf IDE.
• Improved Pro taint tracking through lambda calls, cross-file tracking for globals, and better Scala type and call resolution.

Changed​

• Updated Kotlin tree-sitter parser to the latest grammar.
• Supply Chain analysis of npm package lock files now uses a proprietary parser and is available only to Semgrep Pro users.
• Semgrep secret validation now times out after 30 seconds instead of 15 minutes. This timeout is configurable via the --secrets-timeout flag.

Fixed​

• Fixed path filtering when scanning single files to correctly match project-relative patterns like /src/test/**/*.java.
• Fixed requirements.txt parser silently dropping pinned dependencies that followed unpinned package names.
• Improved error reporting by surfacing target file discovery errors as warnings instead of silently ignoring them.
• Fixed various parsing issues in Rust, Python, and Kotlin.

• The following versions of the OSS Engine were released in March 2026:
  • v1.155.0
  • v1.156.0
  • v1.157.0

🌐 Semgrep AppSec Platform​

Added​

• CLI:
  • Added the --x-mem-policy flag to configure the OCaml garbage collector. Options are aggressive (the default), which uses less memory at the cost of longer scan times, or balanced, which compromises heap memory reclaiming while limiting how often the garbage collector runs. This flag is available only for Pro users.
• MCP:
  • Hooks for both Claude Code and Cursor now pull custom rules from the Semgrep Registry.
  • Enabled DNS rebinding protection for the MCP server.

Changed​

• Improved the accuracy of taint tracking through assignments, which helps reduce the number of false positive findings.
• The Network Broker configuration screen now allows only one public key, preventing users from adding multiple keys, which Semgrep does not support.
• The CWE tooltip message on a finding's Details page now displays the CWE name associated with the finding instead of a generic CWE name.
• Improved the performance of Findings page filters.
• Minor cosmetic changes to the Findings page.
• CLI:
  • Bumped glom to version 23.3.
  • The CLI waits longer before retrying a request if it receives a HTTP 429 or 5xx response from Semgrep.
  • Minor cosmetic changes to the Scan Summary section of the Semgrep CLI response.
  • Blocking findings are now labelled in the CLI response.

Fixed​

• Fixed an issue where claiming a license caused Semgrep AppSec Platform to crash.
• Fixed an issue where the Projects page didn't display findings counts if the previous scan failed.
• Fixed an issue where the Semgrep Editor crashed when viewing metadata for select rules.
• Fixed an issue where Semgrep returned more false negatives when the maximum number of fields to track per object was reached during scans.
• Fixed an issue that allowed authors of pull requests or merge requests to update project tags by changing the .semgrepconfig.yml file. Project tags can now be updated only on full scans.
• CLI: fixed an issue where Semgrep printed info log lines when --trace was passed, but not --debug.

💻 Semgrep Code​

Added​

• Added experimental support for the OpenFGA authorization language.
• Added support for case-insensitive string comparisons using lower() and upper():

  - metavariable-comparison:
      metavariable: $VALUE
      comparison: upper(str($VALUE)) == "SEMGREP"
  

• Scala: added taint flow support for for-yield:

  def test(x: X) = {
    for {
      y <- foo(x)
      z <- bar(y)
    } yield {
      z
    }
  }
  

Fixed​

• Scala: fixed a parsing issue where subsequent calls in an implicit block weren't considered to be in the same scope:

  def f (a: t) =
    foo()
    bar()
  

⛓️ Semgrep Supply Chain​

Added​

• You can now pass environmental variables to third-party package managers using SEMGREP_LOCAL_BUILD_ENV, which accepts a JSON object, as part of the dependency resolution process invoked by --allow-local-builds.

Changed​

• The CVE links on the Supply Chain Findings page now link to specific Advisories pages instead of a general NIST definition of the security issue.

Fixed​

• Fixed an issue that prevented the Enable Supply Chain toggle from working.
• Fixed an issue that prevented the Dependency filter on the Supply Chain Findings page from returning all results.

🤖 Semgrep Assistant​

Changed​

• The feedback dialog for auto-triage now allows you to provide comments in addition to selecting whether you agree or disagree with the recommendation.

Fixed​

• Added the following missing values to the Findings pages' Assistant file risk level filter: High risk > cryptography, Low risk > observability, and Low risk > sample code.

🔐 Semgrep Secrets​

Fixed​

• Fixed an issue where custom secrets couldn't be added to a policy if multiple policies are active.

📝 Documentation and knowledge base​

Added​

• Added information:
  • Managing and using Semgrep access tokens
  • Re-running Semgrep Managed Scans

Changed​

• Major updates to Usage and billing.
• Reorganized the Supported languages information.

🔧 OSS Engine​

• The following versions of the OSS Engine were released in February 2026:
  • 1.153.0
  • 1.152.0
  • 1.151.0

🌐 Semgrep AppSec Platform​

Added​

• You must now authenticate through OAuth when connecting to the MCP server using Streamable HTTP.
• CLI:
  • Improved the performance of scan planning by reducing the cost of re-hashing Target objects. Semgrep's performance improvement on scans of large projects is proportional to the number of files in the project.
  • In --debug mode, Semgrep warns you if you attempt to run a parallel scan with a larger value for -j/--jobs than the number of CPUs Semgrep has detected as available for use.
  • Semgrep now provides a suggested starting value for -j/--jobs.
  • semgrep login now supports the use of --force, which ignores existing tokens and starts a new login session.

Changed​

• Semgrep AppSec Platform's Findings page displays more descriptive rule group names, and the Finding Details page displays more descriptive rule names. For example, sequelize-express is now SQL injection in Sequelize with Express.
• The MCP server no longer supports SSE transport.
• CLI:
  • Semgrep's CLI tool now uses uv instead of pipenv for package management.
  • semgrep ci no longer applies autofixes to local projects, even if the Suggest autofixes toggle in Semgrep AppSec Platform is turned on.

Fixed​

• Fixed an issue where time filters didn't return the correct findings.
• Fixed an issue where Semgrep didn't consistently select the same findings across scans when deduplicating findings. Previously, the selected findings were always equivalent, but they weren't guaranteed to be identical. For example, the findings' metavariable bindings could differ. Depending on the rule used and the target code, this behavior could cause the fingerprints of findings to change from one scan to another.
• Fixed an issue where email addresses used for SSO were case sensitive.
• Fixed an issue where Semgrep AppSec Platform displayed non-shared GitLab projects for the group.

💻 Semgrep Code​

Fixed​

• Improved the handling of parsing errors during interfile analysis. These errors are now reported to you and included in the JSON output.
• Fix an issue resulting in bad file descriptor errors when performing Git operations on Windows machines.
• Java: improved virtual method resolution.
• Python: Dataflow analysis now accounts for for/else and while/else loops.
• Scala: improved virtual method resolution.

⛓️ Semgrep Supply Chain​

Added​

• Semgrep’s reachability analysis now covers all critical and high severity CVEs from supported sources starting in 2017 across all supported languages.
• Diff-aware scans are now faster because Git-untracked files no longer slow down subproject discovery.
• Added support for Gradle lockfiles of the form gradle*.lockfile. Previously, only files with the exact name gradle.lockfile were supported.

Changed​

• Dependency search now allows you to search for one or more packages using:
  • The name of the package
  • An exact version number
  • A range of version numbers

Fixed​

• Improved the performance of Supply Chain scans by reducing pre-computation when printing scan status information. Note that less information is displayed if there are no rules to run.
• Fixed an issue with version range matching for npm packages where the version number contained a pre-release identifier, such as -alpha in 1.2.3-alpha.

🤖 Semgrep Assistant​

Added​

• Members can now create suggested memories for Assistant when triaging findings in Semgrep AppSec Platform. Previously, only admins could do so.

Fixed​

• Fixed an issue where code suggestions that involved removing code didn't render in the diff correctly.

📝 Documentation and knowledge base​

• Minor updates and fixes.

🔧 OSS Engine​

• The following versions of the OSS Engine were released in January 2026:
  • v1.147.0
  • v1.148.0
  • v1.149.0
  • v1.150.0

🌐 Semgrep AppSec Platform​

Added​

• Added a new Priority tab on Findings page to display high-priority findings. Each product has default priority categories, and Semgrep admins can customize the Priority tab to control which findings appear. Admins can save Priority tab filters for all users.
• Added a new Provisionally ignored finding status.
• Commit author emails now appear in the finding's Details when available.

Changed​

• The Findings page now has improved navigation and more intuitive links. The code path now opens the finding's Details page, and an in-product tour introduces the new layout.
• On the Projects page, project names now link directly to project details, making it easier to access scan information from the project list.
• On the finding's Details page, when no ticketing integration is configured, the Fix drop-down now includes a prominent link to the relevant Integration settings page.
• The Settings page has been reorganized to highlight commonly used features and make it easier to find what you need.
• The triage-by-comment setting is now available in the Settings > Global section, making it easier to manage across products.
• When SSO is enabled, the Semgrep AppSec Platform now shows warnings for social authentication in Settings > Access > Login methods and highlights users using social auth in Settings > Users, helping admins identify and reduce security risks.
• Newly created users who sign in with SSO are now added only to the default deployment, reducing unintended access in multi-deployment organizations.
• Activating or deactivating SSO and other authentication providers now shows more user-friendly success and partial-failure messages.
• The Today section on the Reporting page now uses the same priority definitions as the Findings page, including any custom priority settings.
• The Guardrails chart now shows provisionally ignored findings instead of the previous Filtered by Assistant field, providing a more complete view of findings excluded from the default list of Open findings.
• User search on the Manage users page has been simplified. You can now search by email, username, or ID using a single search field, without selecting the search type first.

Fixed​

• Fixed incorrect tab selection during navigation so the correct tab is now highlighted when viewing pages under the project path.
• Fixed IdP-initiated SAML login issues. You can now sign in successfully using IdP-initiated SAML.
• Fixed Assistant triage actions for read-only users. Read-only users can no longer record agreement with Assistant analysis, and the activity timeline now reflects only actions taken by users with triage permissions.
• Fixed an issue where the Connect button remains disabled when adding a new GitHub Enterprise connection.
• Fixed an issue where the Save and Reset buttons appear only when you’ve modified filters or have saved views to manage.
• Fixed CNAPP visibility for non-admin users. Users with access to findings can now see CNAPP integration status, ensuring CNAPP filters and descriptions display correctly.
• Fixed an issue where the Users page did not reset when changing the search query.
• Fixed an issue where the Teams search bar was unusable when adding users or projects.
• Fixed an issue preventing custom OpenAI API keys from being saved.
• When a scan is running, the Analyze button on the finding's Details page is now disabled and displays an explanatory tooltip on why this is the case.
• Fixed several issues with Findings page filters:
  • The Save and Reset buttons only appear when you've modified the filters or have saved views to manage.
  • Changes to time-based filters persist.
  • Team filters now appear only when RBAC is enabled, ensuring filters reflect your deployment’s access controls.

💻 Semgrep Code​

Changed​

• Git Large File Storage (LFS) objects are excluded from baseline scans. Files tracked with Git LFS are no longer scanned during baseline runs, avoiding large or binary files that are not supported by Semgrep.

Fixed​

• Fixed an issue where findings in files that time out or fail to scan were set to a status of Fixed, ensuring scan results more accurately reflect what was actually analyzed.
• Fixed validation failures for valid rules. Rules that include emoji in the message field now validate correctly.
• Fixed an interfile scan timeout regression, restoring the previous default job behavior to prevent unexpected timeout changes.
• Fixed an issue with duplicate scans triggered by GitHub pull request updates. Semgrep now processes pull request update events only once, preventing duplicate scans for the same change.

⛓️ Semgrep Supply Chain​

Added​

• The Advisories page now shows impacted projects and branches. You can now click on an advisory to see affected projects and branches and use quick links to go directly to relevant findings.
• Added new High severity reachability rules to improve vulnerability detection for Java, Kotlin, and Scala projects that use Maven.
• Added symbol analysis support for Supply Chain–only scans when calling semgrep ci.

Changed​

• The Dependencies page's License filter now supports the section of multiple license types, so you can view dependencies that are Allowed, Blocked, and Commented at the same time.

Fixed​

• Fixed project filtering on the Dependencies page such that filtering by multiple projects now works as expected, and the search field clears correctly after you select a project.
• Fixed symbol analysis to analyze only relevant language files per ecosystem during Supply Chain scans.
• Fixed CVE filter chip labeling for shared rules such that filter chips now show all applicable CVEs instead of only the first.
• Fixed missing findings in advisory filters. Advisory filters now correctly show all existing findings.
• Fixed project selection in Supply Chain filters, allowing you to select multiple projects as expected when filtering results.

🤖 Semgrep Assistant​

Added​

• Added support for Cursor post-generation hooks, enabling Semgrep to integrate with Cursor workflows after code generation.
• Assistant memories now include links to the pull request or merge request comments where triage decisions were made, improving traceability back to the original source.

Changed​

• Pull request comments for findings generated using Semgrep-authored rules now include Assistant-generated explanations to help developers understand the findings. The summary message can be expanded to show additional details.
• Findings in Semgrep AppSec Platform now include Assistant-generated explanations to clarify why a rule matched your code and a concise summary, if available.
• Assistant notifications now show more specific error messages, helping you understand why an analysis could not run.
• When multiple rules share the same name, the full rule path is now shown in Semgrep AppSec Platform to help distinguish them.

Fixed​

🔐 Semgrep Secrets​

Changed​

• Semgrep Secrets findings are now assigned a severity of Critical. This applies to Secrets findings from scans performed after November 2025. Any existing findings from those rules will be updated to Critical after the project's next full scan.

Fixed​

• Fixed an issue with configuring Slack notifications for Secrets policies. Selecting a Slack channel no longer causes the page to crash, and configurations now save successfully.

📝 Documentation and knowledge base​

Added​

• Improved API documentation for Ruleboards and Policies. The API docs have been updated to correctly display request parameters in the request body and hide path parameters, making it easier to understand and use these endpoints.

🔧 OSS Engine​

Changed​

• Semgrep’s Docker image now uses Alpine Linux 3.23

• The following versions of the OSS Engine were released in December 2025:
  • 1.145.0
  • 1.146.0

🌐 Semgrep AppSec Platform​

Added​

• Cortex and Sysdig integrations are now generally available. Semgrep now uses deployment status and, for Cortex, internet-exposure data from these CNAPP providers to better prioritize findings.
• The Settings > General tab now displays all Semgrep product settings on a single page.
• Added the ability for non-admin users to complete the Semgrep GitHub App installation process using an install-request link. This ensures that private GitHub App installations can proceed, even when the initiating user lacks org admin permissions.
• Added a new Validate button and improved connection status visibility for CNAPP integrations. You can now see the validation state, last successful sync time, and clearer error conditions directly in Semgrep AppSec Platform.
• You can now update and delete customizable and saved views using the API. The endpoint returns a 404 if the view does not exist.
• Added support for filtering projects by status, including setup, uninitialized, and archived, in the Projects API endpoints, enabling more precise control when retrieving project lists.
• Added support for filtering projects by status, including setup, uninitialized, and archived, in the Projects API endpoints, enabling more precise control when retrieving project lists.
• Added missing fields commit and enabled_products to the GetScan v2 API response to achieve parity with v1 and ensure you receive complete scan metadata.
• Added support for updating a project's primary branch through the Public API v2, enabling parity with the v1 Projects API endpoint.
• Added support to the Public API for mutating project tags, enabling automated workflows to add, remove, or update tags on projects.

Changed​

• The API tokens and CLI tokens tabs under Settings → Tokens are now paginated, significantly improving page load speed for teams with many tokens.

Fixed​

• Fixed several issues with RBAC team-based filtering that caused you to see incorrect repository or findings access in certain deployments. You should now see correct repository and findings access based on their team permissions.
• Fixed an issue where the self-service checkout flow failed with an "Unrecognized enum value" error when starting a billing upgrade. You can now successfully initiate checkout sessions again.
• Fixed an issue where Jira automations persisted after deleting the Jira integration. Automations are now deleted when the integration is removed.
• Fixed an issue with the Settings pages where some searches resulted in no results on later pages.
• Fixed an issue where organization admins could not see projects without team assignments when RBAC was enabled. All projects now correctly appear in the Projects page for admins.
• Fixed an authorization issue in Network Broker key management.
• Fixed an issue where GitLab merge-base requests were serialized incorrectly, causing errors or inconsistent diff detection for GitLab users.
• Fixed an issue where rule descriptions on the Findings page used a fixed width. Descriptions now scale responsively again.
• Fixed an issue where GitHub SSO orgs using personal GitHub accounts made unnecessary calls to GitHub during user sync.
• Fixed an issue where new CNAPP integrations displayed an incorrect error state in Semgrep AppSec Platform.
• Fixed an issue where opening the scan's Details reset existing URL filters. Semgrep now preserves all active filters when you navigate to the Details page.
• Removed the ability for users to remove their own access in Access Control.
• You can no longer click the Run a new scan buttons on the Projects list and Project Details pages if you disable Managed Scans for the project.

💻 Semgrep Code​

Added​

• MCP: added the -k / --hook flag to enable Semgrep scans from Claude Code Agent post-tool hooks.
• Go: enabled taint tracking across goroutines, improving detection accuracy in Go projects.

Changed​

• Semgrep now uses your source code manager to determine changes between branches during a scan. If you're using Network Broker, you must upgrade to benefit from this improvement if you are on GitLab self-managed v0.36.0 or earlier or GitHub Enterprise v0.31.0 or earlier.

Fixed​

• The progress bar for semgrep scan and semgrep ci now consistently reaches 100%.
• Rust: Fixed missing type alias translations so that Semgrep can correctly match the () type in type declarations.
• Scala: Fixed several issues with Scala match-expression handling in dataflow analysis, improving accuracy.

⛓️ Semgrep Supply Chain​

Added​

• Malicious dependency detection is now generally available. Semgrep detects malicious packages, including malware, typosquatting, and credential-stealing dependencies, using over 80,000 rules.
• Added a toggle in Supply Chain settings that allows you to disable malicious dependency rules. This provides an opt-out for teams who prefer not to run these rules or who encounter performance issues.
• Added a new checkbox in the Jira Customize ticket creation dialog that allows teams to automatically create tickets for malicious dependency findings on any branch.

Fixed​

• Semgrep AppSec Platform now displays the correct severity for Supply Chain findings, resolving a mismatch with automations and the CLI. Some existing findings may show updated severities, but policies and Jira workflows are unaffected.
• Fixed an issue that caused Supply Chain scans to fail when encountering newer manifest types.
• Fixed an issue where searches for dependencies only filtered the first page of results. Dependency filters now correctly return complete, accurate results.
• Fixed inaccurate dependency and lockfile counts in Supply Chain pages.

🤖 Semgrep Assistant​

Added​

• You can now see rule and analysis explanations on the finding’s Details page. When a finding is classified as a true or false positive, an alert appears, and a detailed explanation is available in the Finding description tab. For true positives, it includes code context and threat-model rationale; for false positives, it includes reasoning only.

Changed​

• Assistant now automatically analyzes all new Critical and High severity findings with Medium or High confidence in full scans, removing the previous 10-issue limit.

Fixed​

• Removed outdated warning text from the Assistant autofix.
• Fixed an issue where agreeing with an auto-triage verdict incorrectly marked findings as ignored. Findings are now only auto-ignored when user assigns it as a False Positive.

📝 Documentation and knowledge base​

Added​

• Added the following knowledge base articles:
  • Semgrep Managed Scans doesn't run for pull requests in GitHub merge queues
  • Why does the Projects page display a different dependency count from the Dependencies page?

🔧 OSS Engine​

Added​

• The following versions of the OSS Engine were released in November 2025:
  • 1.143.0
  • 1.144.0

🌐 Semgrep AppSec Platform​

Added​

• Semgrep Managed Scanning is now generally available. With Managed Scans, you can add repositories to your Semgrep organization in bulk without changing your existing CI workflows, and integrate Semgrep into developer workflows through PR or MR comments.
• Added a Remember my email checkbox to the SSO login page.
• Added the ability to change the name of Teams.
• The Semgrep CLI is now compatible with machines running Python 3.14.

Changed​

• The Scan details page now updates the URL with a permalink for easier sharing when viewed.
• Semgrep's Docker image base has been upgraded from Alpine Linux 3.21 to 3.22.
• semgrep/semgrep images now ship with Go 1.24.
• Improved performance by preventing unnecessary data fetches when scan details aren’t needed.

Fixed​

• Fixed an issue where filtering findings using project tags doesn't return results.
• Invalid CLI tokens now produce a clear error instead of a malformed success message.

💻 Semgrep Code​

Added​

• Semgrep Code findings now show Assistant's true or false positive analyses more prominently, along with which memories Assisted used during analysis. The findings also present the threat model for specific security issues in the context of the code, along with a summary of each issue.
• The /setup_semgrep_mcp command now supports Claude Code.

Changed​

• Temporary files created for rule checks are cleaned up after scans.
• The rule validation check now includes a language check to ensure that only valid languages are used, preventing invalid rules from being added to policies.

Fixed​

• Fixed an issue where some scans terminated with exit code 7.
• MCP:
  • Fixed tool calls failing for some models, such as GPT-5.
  • Fixed a bug where resource closure errors occurred when trying to use the MCP with the streamable-http transport method.

⛓️ Semgrep Supply Chain​

Added​

• Supply Chain's reachability analysis now covers all high-severity CVEs from supported sources starting from 2017 for Go packages.

Fixed​

• Supply Chain subproject resolution table is now shown in the CLI output after a scan, even when no subprojects were successfully resolved.
• UV lockfiles that include editable and local dependencies without versions are now parsed correctly. The unversioned dependencies are ignored.
• Failures to parse UV lockfiles are now correctly reported as Failed rather than Unsupported.

🤖 Semgrep Assistant​

Added​

• Added a new filter for AI component tags with No decision, allowing users to find findings analyzed by the Assistant, but not classified as low or high risk.

Changed​

• Assistant's rule generation functionality in Semgrep AppSec Platform has been deprecated.

🔧 OSS Engine​

• The following versions of the OSS Engine were released in October 2025:
  • v1.142.0
  • v1.141.0
  • v1.140.0

🌐 Semgrep AppSec Platform​

Added​

• Added the ability to filter Secrets findings by branch.
• Added a confirmation pop-up when switching between the Production and Pre-production views.

Changed​

• Jira: the Semgrep Jira integration now automatically creates Jira tickets for Semgrep Code and Semgrep Secrets findings with a critical severity level.

Fixed​

• Jira: Team information now loads when the user attempts to map to the Team custom field.
• Supply Chain's Advisories filter now filters based on the correct field.
• Fixed the handling of invalid GitHub refresh tokens. If a user's GitHub refresh token is invalid, Semgrep prompts the user to log in again.
• Minor UI fixes.

💻 Semgrep Code​

Added​

• Added the semgrep mcp subcommand to the Semgrep CLI tool, which runs the Semgrep MCP server.
• Improved pre-filtering for taint rules, primarily when taint labels are used.
• Scala: Added support for method dispatching through traits.
• TypeScript: improved name resolution for destructuring parameters.

Changed​

• The Semgrep MCP server repository has been moved from semgrep/mcp to semgrep/semgrep.
• Updated semgrep-interfaces to accept only valid language keys for rules in Semgrep Editor.
• Semgrep now filters SEMGREP_APP_TOKEN from any request made to non-Semgrep URLs passed to -f/-c/--config when fetching configurations and rules.
• Python: Fixed an issue involving the resolution of implicit namespace modules.
• TypeScript:
  • Fixed an issue where the pattern var $X = $FUNC($REQ, $RES, ...) {...} didn't parse correctly.
  • Improved the performance of tsconfig.json matching for TypeScript projects that contain multiple tsconfig.json files.

Fixed​

• Glob patterns containing \# or \ in .semgrepignore and included .gitignore files are now interpreted correctly.
• Updated opentelemetry-* packages to remove pkg_resources is deprecated warnings.
• Dart: Fixed an issue in language processing to return better results.

⛓️ Semgrep Supply Chain​

Added​

• Supply Chain's reachability analysis now covers all high severity CVEs from supported sources starting from 2017 for JavaScript packages.

🔐 Semgrep Secrets​

Added​

• Slack notifications for Semgrep Secrets is now publicly available.

📝 Documentation and knowledge base​

Added​

• Added instructions for connecting Semgrep to GitHub Enterprise Cloud with data residency.
• Added the following knowledge base articles:
  • Why can't I access my Semgrep organization after logging in with GitHub?
  • Why are my projects showing a status of "Not yet started" after I enable Managed Scans?
  • Remove users from your Semgrep AppSec Platform organization

🔧 OSS Engine​

• The following versions of the OSS Engine were released in September 2025:
  • 1.135.0
  • 1.136.0
  • 1.137.0
  • 1.138.0

🌐 Semgrep AppSec Platform​

Changed​

• Jira:
  • The labels Malicious Dependency and Non-malicious Vulnerability have been changed to Malicious Dependency and Not Malicious, respectively.
  • Jira tickets created for malicious dependency findings now include more prominent visuals, such as bolded rule messages, to help them stand out from other reachable findings.
  • The maximum number of findings associated with a specific Jira ticket has increased from 50 to 75.
• You can now connect to your GitHub repositories without needing to contact Semgrep Support, even if you don't use GitHub as your SSO provider with Semgrep.
• You can now view a project's details page while the scan is still in progress.

Fixed​

• Semgrep now maintains connectivity to repositories that you move from one GitHub organization to another.
• Bitbucket pull request comments from Semgrep now display with correct formatting.

💻 Semgrep Code​

Added​

• Added support for interfile analysis for Scala projects.
• Added a timeout to Semgrep's internal HTTP requests to prevent remote endpoints from indefinitely hanging the Semgrep engine.
• Improved pre-filtering for interfile rules enables the Semgrep engine to detect and skip unnecessary interfile rules earlier in the scan process.
• When a segmentation fault is encountered, Semgrep now displays backtraces with function names, filenames, and line numbers when available.
• PHP:
  • When enabling the option taint_assume_safe_booleans, the return values of boolval, is_bool, and || are considered safe.
  • When enabling taint_assume_safe_numbers, the return values of intval, floatval, +, -, *, /, and % are considered safe.

Changed​

• Semgrep scans no longer attempt to parse tsconfig files for non-TypeScript scans.
• CLI: the --json output of Semgrep's CLI now includes a time field or time object with profiling data.

Fixed​

• Fixed incorrect YAML parsing of strings like nan, where the strings were interpreted as a float instead of a string.
• Fixed a bug that prevented taint tracking through new in Java projects.
• Semgrep now substitutes metavariables for their values in a deterministic order to ensure keys for match-based IDs are stable.
• Error messages are logged, but not displayed as pop-ups in IDEs.

⛓️ Semgrep Supply Chain​

Added​

• Supply Chain's reachability analysis now covers all high and critical severity CVEs in Python packages from supported sources starting 2017 and onward.
• Supply Chain policies now support the exclusion of conditions. For example, you can define a condition such as When Reachability is not Always reachable.

🤖 Semgrep Assistant​

Added​

• Added support for the use of custom AWS Bedrock keys.

🔐 Semgrep Secrets​

Added​

• Semgrep now logs the amount of time required for the HTTP request to complete when validating Secrets in the debug logs.

Changed​

• Semgrep Secrets no longer allows more than 256 outstanding validations at any given time.

🔧 OSS Engine​

• The following versions of the OSS Engine were released in August 2025:
  • v1.134.0
  • v1.133.0
  • v1.132.0

🌐 Semgrep AppSec Platform​

Added​

• Support for running Semgrep natively on Windows is now in public beta. This applies to running Semgrep through the CLI and an IDE such as Cursor, VS Code, and IntelliJ.
• Semgrep now includes a link to the GitHub pull request (PR) on the finding details page if you link a Semgrep finding in the PR you create.
• By default, diff-aware managed scans now have fail open enabled in the event a scan errors out or takes too long. This means that diff-aware scans are marked as successful on the pull request (PR) or merge request (MR), even if they haven't completed after the specified timeout, allowing you to make the Semgrep status check required in your source code manager (SCM) while not blocking someone from merging a PR or MR if the check encounters an unexpected issue or takes too long.

Changed​

• General UI improvements, including style fixes.

Fixed​

• Fixed an issue where you couldn't add a connection to GitHub Enterprise without an access token.

💻 Semgrep Code​

Added​

• Semgrep now prints warnings for each paths.include and paths.exclude pattern found in rules that Semgrep considers ambiguous.
  • Example: a pattern containing a middle slash, such as src/*.c, is considered floating, or unanchored. To comply with gitignore and semgrepignore specifications, src/*.c must be treated as anchored. Semgrep prints a warning asking the user to resolve any ambiguity if it exists. The user is asked to change the src/*.c pattern to either /src/*.c, anchored, or **/src/*.c, floating. HTTP{,S}_PROXY=... now accepts URIs without a scheme, such as HTTP_PROXY=domain.com:port.

Fixed​

• Fixed an issue where some diff-aware scans on shallow clones would use the incorrect merge base, resulting in a scan on commits not a part of the pull request. This is because Semgrep now considers the specific merge base to use when performing diff-aware scans.
• Fixed an issue where an empty file would sometimes be created in place of a missing input file.
• Fixed an issue where log files weren't succinct and introduced mid-entry newlines that broke log-parsing tools.
• Fixed an issue where the sign in command didn't work.
• Fixed an issue where CiScanComplete.dependencies were populated with unparsed dependencies.
• Fixed an issue where error details weren't printed when an SemgrepError exception caused semgrep to fail.
• Semgrep now prints an error message and exits instead of silently exiting with code 2 when you run semgrep scan in a Docker container without an argument, and there's no target project mounted under /src.
• Fixed an issue where a Unix.Unix_error would occasionally crash the experimental language server on startup.
• Fixed an issue where scans of large repositories in debug mode resulted in overly large logs.
• Path filters, such as paths.exclude and paths.include in rules, now apply to normalized file paths relative to the project rule. This makes rule selection independent of the current work folder.
• Patterns with a leading slash, such as /src, are now anchored instead of floating. For example, exclude: [ "/src" ] excludes the target file src/main.c, but not misc/src/main.c
• Java: deprecated the class $A partial class pattern in favor of class $A { ... }.
• Python: Fixed an issue where the Python parser didn't correctly parse and handle valid structural dictionary patterns.

⛓️ Semgrep Supply Chain​

Added​

• Supply Chain support for PHP reachability analysis is now generally available (GA).
• You can now use the Upgrade guidance filter to look for findings based on whether upgrading to the dependency that remediates the vulnerability introduces breaking changes or not.
• Beginning with Semgrep v1.127.0, uv is a supported package manager for Dependency Paths. This means that uv is a supported package manager across all Supply Chain features.

🤖 Semgrep Assistant​

Added​

• You can now see which memories were used by Assistant when it generated remediation guidance for a specific finding. Semgrep displays this information on the finding details page.

🔐 Semgrep Secrets​

Added​

• Added the ability to send Slack notifications for Secrets findings.
• Semgrep now makes up to three attempts when validating Amazon Web Services (AWS) credentials that failed due to possibly transient reasons.

📝 Documentation and knowledge base​

Added​

• Added the following knowledge base articles:
  • Learn how to search for, filter for, and sort findings in Semgrep AppSec Platform
  • Learn how to automate private rules deployment using the Semgrep API
  • Learn why the count of findings differs across various pages in Semgrep AppSec Platform

Fixed​

• Minor fixes, including fixes to broken link anchors.

🔧 OSS Engine​

• The following versions of the OSS Engine were released in July 2025:
  • 1.131.0
  • 1.130.0
  • 1.128.0

🌐 Semgrep AppSec Platform​

Added​

• You can now customize PR and MR comments to provide additional context to the comments generated by Semgrep.
• Rules validation is now parallelized to improve performance when Semgrep scans use many rule files.
• Semgrep now respects ALL_PROXY, HTTP_PROXY, HTTPS_PROXY, NO_PROXY, PROXY_USERNAME, and PROXY_PASSWORD for all networking, including networking done through the OCaml components. Additionally, the environment variable OCAML_EXTRA_CA_CERTS now allows additional CA certificates to be used for network operations done by OCaml components.

Changed​

• The Sign up and Log in page has been redesigned.
• The Finding details page has been redesigned and unified across all Semgrep products.
• The Settings > Deployment page in Semgrep AppSec Platform has been removed and reorganized into a General page that features sub-tabs for individual uses and Semgrep products.
• Search and pagination on the Settings > Source code managers page have been improved, resulting in better load times and smoother navigation.
• Restored links to the same finding on other branches on the finding's details pages.
• Jira:
  • Semgrep AppSec Platform now displays information about Jira ticket creation in the Activity section of the Finding details page. You can check if a ticket was successfully created or if an error occurred during ticket creation.
  • Semgrep organization members can now create Jira tickets for findings.

Fixed​

• Fixed an issue where semgrep ci logs in GitLab return incorrect URLs with the wrong &ref=... argument.
• Fixed an issue where Semgrep Managed Scan was enabled on projects tagged as local_scan.
• Fixed an issue where scan logs show that pull request or merge request comments were successfully posted when the comments were not posted.
• Fixed an issue where Semgrep AppSec Platform did not account for community seats when calculating license usage.
• nosemgrep ignore comments no longer require exactly one leading space, allowing for more commenting styles.
• The Semgrep findings returned by the Semgrep Language Server (LSP) are now sorted correctly based on their location within files. This benefits the Semgrep IDE extensions, including VSCode and IntelliJ.
• Various UI fixes.

💻 Semgrep Code​

Added​

• Added type inference for mod, floor division, and pow.

Changed​

• JSON output now includes basic profiling data.

Fixed​

• Fixed an issue where taint rules that use the experimental feature labels and specify sinks with a requires: of the form not A could produce findings with an empty list of traces, potentially causing Semgrep to crash.
• Fixed an issue where the empty Python fstring f"" wasn't matched by the pattern ....
• Fixed an issue where a multiplication expression of int isn't considered an int.
• Fixed an issue where 2 * groups isn't considered an int when groups is an int.
• Go: fixed an issue where case statements with ellipses didn't match patterns correctly.
• JavaScript: fixed an issue where JavaScript autofix code suggestions break syntax for if statements by consuming parentheses.
• Python: fixed a regression that could cause naming to take a disproportionate amount of time, significantly slowing down scans.
• TypeScript: fixed an issue with stack overflow and out-of-memory issues when parsing TypeScript configurations.

⛓️ Semgrep Supply Chain​

Added​

• Support for PHP reachability is now in public beta, which means that Semgrep offers 98% coverage for Critical severity issues, plus some coverage for High severity issues.
• You can now customize Supply Chain policies using CVEs as a filtering condition.
• Policies now accept custom CVE options to allow the selection of CVEs for which there are no current findings associated.
• Scan logs now report dependency resolution errors that result from local builds by default.
• Added the reporting of subproject dependency resolution to JSON output.
• C#:
  • Dependency Paths for C# projects using NuGet are now in public beta.
  • Dependency parsing now handles dependencies with Project transitivities.
  • Semgrep can scan NuGet codebases without the need for a lockfile. This feature is in public beta.

Changed​

• The filter for malicious dependency findings are now included in the existing Reachability filter.

Fixed​

• Fixed an issue where missing version constraints in yarn.lock descriptors caused parsing errors.
• Fixed an issue where packages were misidentified by adding support for npm aliasing in package-lock.json.
• Fixed an issue where Jira tickets weren't created for some Supply Chain findings.
• Fixed an issue where archived repositories were accidentally scanned by Semgrep Managed Scans for Supply Chain findings.
• Semgrep no longer parses build.gradle.kts files as build.gradle.

🤖 Semgrep Assistant​

Added​

• Memories can now be scoped to a rule's vulnerability class, which are the same groupings that exist on the policies page.
• Organization members can suggest memories for approval by admins.
• Semgrep now sends out emails with information about suggested memories, how many findings each memory affects, and the links to review the memories in Semgrep AppSec Platform.

Changed​

• Organization members can now see memories in addition to admins.
• Active memories now display the name of the person who authored the triage note that Assistant used to create the memory.
• Memories created by Semgrep are now labeled as created by Assistant.

Fixed​

• Fixed an issue where changes made to the Allowed AI providers dialog weren't saved.

🔐 Semgrep Secrets​

Added​

• You can now create memories for generic secrets, allowing you to create and apply custom rules for secret detection through Assistant.

Fixed​

• Fixed an issue where files excluded in .semgrepignore were also applied to Secrets scans. Semgrep now scans files that have been excluded from Code and Supply Chain scans for leaked secrets.

📝 Documentation and knowledge base​

Added​

• Enable source code manager code access
• Run a successful proof-of-value (POV) trial with Semgrep
• Knowledge base: Search, filter, and sort findings in Semgrep AppSec Platform

Fixed​

Minor corrections and typo fixes.

🔧 OSS Engine​

• The following versions of the OSS Engine were released in June 2025:
  • v1.124.0
  • v1.125.0
  • v1.126.0
  • v1.127.0