Skip to main content
Semgrep themed logoSemgrep themed logo

Semgrep release notes

December 2025

ยท 7 min read

The following updates were made to Semgrep in December 2025.

๐ŸŒ Semgrep AppSec Platformโ€‹

Addedโ€‹

  • Added a new Priority tab on Findings page to display high-priority findings. Each product has default priority categories, and Semgrep admins can customize the Priority tab to control which findings appear. Admins can save Priority tab filters for all users.
  • Added a new Provisionally ignored finding status.
  • Commit author emails now appear in the finding's Details when available.

Changedโ€‹

  • The Findings page now has improved navigation and more intuitive links. The code path now opens the finding's Details page, and an in-product tour introduces the new layout.
  • On the Projects page, project names now link directly to project details, making it easier to access scan information from the project list.
  • On the finding's Details page, when no ticketing integration is configured, the Fix drop-down now includes a prominent link to the relevant Integration settings page.
  • The Settings page has been reorganized to highlight commonly used features and make it easier to find what you need.
  • The triage-by-comment setting is now available in the Settings > Global section, making it easier to manage across products.
  • When SSO is enabled, the Semgrep AppSec Platform now shows warnings for social authentication in Settings > Access > Login methods and highlights users using social auth in Settings > Users, helping admins identify and reduce security risks.
  • Newly created users who sign in with SSO are now added only to the default deployment, reducing unintended access in multi-deployment organizations.
  • Activating or deactivating SSO and other authentication providers now shows more user-friendly success and partial-failure messages.
  • The Today section on the Reporting page now uses the same priority definitions as the Findings page, including any custom priority settings.
  • The Guardrails chart now shows provisionally ignored findings instead of the previous Filtered by Assistant field, providing a more complete view of findings excluded from the default list of Open findings.
  • User search on the Manage users page has been simplified. You can now search by email, username, or ID using a single search field, without selecting the search type first.

Fixedโ€‹

  • Fixed incorrect tab selection during navigation so the correct tab is now highlighted when viewing pages under the project path.
  • Fixed IdP-initiated SAML login issues. You can now sign in successfully using IdP-initiated SAML.
  • Fixed Assistant triage actions for read-only users. Read-only users can no longer record agreement with Assistant analysis, and the activity timeline now reflects only actions taken by users with triage permissions.
  • Fixed an issue where the Connect button remains disabled when adding a new GitHub Enterprise connection.
  • Fixed an issue where the Save and Reset buttons appear only when youโ€™ve modified filters or have saved views to manage.
  • Fixed CNAPP visibility for non-admin users. Users with access to findings can now see CNAPP integration status, ensuring CNAPP filters and descriptions display correctly.
  • Fixed an issue where the Users page did not reset when changing the search query.
  • Fixed an issue where the Teams search bar was unusable when adding users or projects.
  • Fixed an issue preventing custom OpenAI API keys from being saved.
  • When a scan is running, the Analyze button on the finding's Details page is now disabled and displays an explanatory tooltip on why this is the case.
  • Fixed several issues with Findings page filters:
    • The Save and Reset buttons only appear when you've modified the filters or have saved views to manage.
    • Changes to time-based filters persist.
    • Team filters now appear only when RBAC is enabled, ensuring filters reflect your deploymentโ€™s access controls.

๐Ÿ’ป Semgrep Codeโ€‹

Changedโ€‹

  • Git Large File Storage (LFS) objects are excluded from baseline scans. Files tracked with Git LFS are no longer scanned during baseline runs, avoiding large or binary files that are not supported by Semgrep.

Fixedโ€‹

  • Fixed an issue where findings in files that time out or fail to scan were set to a status of Fixed, ensuring scan results more accurately reflect what was actually analyzed.
  • Fixed validation failures for valid rules. Rules that include emoji in the message field now validate correctly.
  • Fixed an interfile scan timeout regression, restoring the previous default job behavior to prevent unexpected timeout changes.
  • Fixed an issue with duplicate scans triggered by GitHub pull request updates. Semgrep now processes pull request update events only once, preventing duplicate scans for the same change.

โ›“๏ธ Semgrep Supply Chainโ€‹

Addedโ€‹

  • The Advisories page now shows impacted projects and branches. You can now click on an advisory to see affected projects and branches and use quick links to go directly to relevant findings.
  • Added new High severity reachability rules to improve vulnerability detection for Java, Kotlin, and Scala projects that use Maven.
  • Added symbol analysis support for Supply Chainโ€“only scans when calling semgrep ci.

Changedโ€‹

  • The Dependencies page's License filter now supports the section of multiple license types, so you can view dependencies that are Allowed, Blocked, and Commented at the same time.

Fixedโ€‹

  • Fixed project filtering on the Dependencies page such that filtering by multiple projects now works as expected, and the search field clears correctly after you select a project.
  • Fixed symbol analysis to analyze only relevant language files per ecosystem during Supply Chain scans.
  • Fixed CVE filter chip labeling for shared rules such that filter chips now show all applicable CVEs instead of only the first.
  • Fixed missing findings in advisory filters. Advisory filters now correctly show all existing findings.
  • Fixed project selection in Supply Chain filters, allowing you to select multiple projects as expected when filtering results.

๐Ÿค– Semgrep Assistantโ€‹

Addedโ€‹

  • Added support for Cursor post-generation hooks, enabling Semgrep to integrate with Cursor workflows after code generation.
  • Assistant memories now include links to the pull request or merge request comments where triage decisions were made, improving traceability back to the original source.

Changedโ€‹

  • Pull request comments for findings generated using Semgrep-authored rules now include Assistant-generated explanations to help developers understand the findings. The summary message can be expanded to show additional details.
  • Findings in Semgrep AppSec Platform now include Assistant-generated explanations to clarify why a rule matched your code and a concise summary, if available.
  • Assistant notifications now show more specific error messages, helping you understand why an analysis could not run.
  • When multiple rules share the same name, the full rule path is now shown in Semgrep AppSec Platform to help distinguish them.

Fixedโ€‹

๐Ÿ” Semgrep Secretsโ€‹

Changedโ€‹

  • Semgrep Secrets findings are now assigned a severity of Critical. This applies to Secrets findings from scans performed after November 2025. Any existing findings from those rules will be updated to Critical after the project's next full scan.

Fixedโ€‹

  • Fixed an issue with configuring Slack notifications for Secrets policies. Selecting a Slack channel no longer causes the page to crash, and configurations now save successfully.

๐Ÿ“ Documentation and knowledge baseโ€‹

Addedโ€‹

  • Improved API documentation for Ruleboards and Policies. The API docs have been updated to correctly display request parameters in the request body and hide path parameters, making it easier to understand and use these endpoints.

๐Ÿ”ง OSS Engineโ€‹

Changedโ€‹

  • Semgrepโ€™s Docker image now uses Alpine Linux 3.23
  • The following versions of the OSS Engine were released in December 2025:

November 2025

ยท 6 min read

The following updates were made to Semgrep in November 2025.

๐ŸŒ Semgrep AppSec Platformโ€‹

Addedโ€‹

  • Cortex and Sysdig integrations are now generally available. Semgrep now uses deployment status and, for Cortex, internet-exposure data from these CNAPP providers to better prioritize findings.
  • The Settings > General tab now displays all Semgrep product settings on a single page.
  • Added the ability for non-admin users to complete the Semgrep GitHub App installation process using an install-request link. This ensures that private GitHub App installations can proceed, even when the initiating user lacks org admin permissions.
  • Added a new Validate button and improved connection status visibility for CNAPP integrations. You can now see the validation state, last successful sync time, and clearer error conditions directly in Semgrep AppSec Platform.
  • You can now update and delete customizable and saved views using the API. The endpoint returns a 404 if the view does not exist.
  • Added support for filtering projects by status, including setup, uninitialized, and archived, in the Projects API endpoints, enabling more precise control when retrieving project lists.
  • Added support for filtering projects by status, including setup, uninitialized, and archived, in the Projects API endpoints, enabling more precise control when retrieving project lists.
  • Added missing fields commit and enabled_products to the GetScan v2 API response to achieve parity with v1 and ensure you receive complete scan metadata.
  • Added support for updating a project's primary branch through the Public API v2, enabling parity with the v1 Projects API endpoint.
  • Added support to the Public API for mutating project tags, enabling automated workflows to add, remove, or update tags on projects.

Changedโ€‹

  • The API tokens and CLI tokens tabs under Settings โ†’ Tokens are now paginated, significantly improving page load speed for teams with many tokens.

Fixedโ€‹

  • Fixed several issues with RBAC team-based filtering that caused you to see incorrect repository or findings access in certain deployments. You should now see correct repository and findings access based on their team permissions.
  • Fixed an issue where the self-service checkout flow failed with an "Unrecognized enum value" error when starting a billing upgrade. You can now successfully initiate checkout sessions again.
  • Fixed an issue where Jira automations persisted after deleting the Jira integration. Automations are now deleted when the integration is removed.
  • Fixed an issue with the Settings pages where some searches resulted in no results on later pages.
  • Fixed an issue where organization admins could not see projects without team assignments when RBAC was enabled. All projects now correctly appear in the Projects page for admins.
  • Fixed an authorization issue in Network Broker key management.
  • Fixed an issue where GitLab merge-base requests were serialized incorrectly, causing errors or inconsistent diff detection for GitLab users.
  • Fixed an issue where rule descriptions on the Findings page used a fixed width. Descriptions now scale responsively again.
  • Fixed an issue where GitHub SSO orgs using personal GitHub accounts made unnecessary calls to GitHub during user sync.
  • Fixed an issue where new CNAPP integrations displayed an incorrect error state in Semgrep AppSec Platform.
  • Fixed an issue where opening the scan's Details reset existing URL filters. Semgrep now preserves all active filters when you navigate to the Details page.
  • Removed the ability for users to remove their own access in Access Control.
  • You can no longer click the Run a new scan buttons on the Projects list and Project Details pages if you disable Managed Scans for the project.

๐Ÿ’ป Semgrep Codeโ€‹

Addedโ€‹

  • MCP: added the -k / --hook flag to enable Semgrep scans from Claude Code Agent post-tool hooks.
  • Go: enabled taint tracking across goroutines, improving detection accuracy in Go projects.

Changedโ€‹

  • Semgrep now uses your source code manager to determine changes between branches during a scan. If you're using Network Broker, you must upgrade to benefit from this improvement if you are on GitLab self-managed v0.36.0 or earlier or GitHub Enterprise v0.31.0 or earlier.

Fixedโ€‹

  • The progress bar for semgrep scan and semgrep ci now consistently reaches 100%.
  • Rust: Fixed missing type alias translations so that Semgrep can correctly match the () type in type declarations.
  • Scala: Fixed several issues with Scala match-expression handling in dataflow analysis, improving accuracy.

โ›“๏ธ Semgrep Supply Chainโ€‹

Addedโ€‹

  • Malicious dependency detection is now generally available. Semgrep detects malicious packages, including malware, typosquatting, and credential-stealing dependencies, using over 80,000 rules.
  • Added a toggle in Supply Chain settings that allows you to disable malicious dependency rules. This provides an opt-out for teams who prefer not to run these rules or who encounter performance issues.
  • Added a new checkbox in the Jira Customize ticket creation dialog that allows teams to automatically create tickets for malicious dependency findings on any branch.

Fixedโ€‹

  • Semgrep AppSec Platform now displays the correct severity for Supply Chain findings, resolving a mismatch with automations and the CLI. Some existing findings may show updated severities, but policies and Jira workflows are unaffected.
  • Fixed an issue that caused Supply Chain scans to fail when encountering newer manifest types.
  • Fixed an issue where searches for dependencies only filtered the first page of results. Dependency filters now correctly return complete, accurate results.
  • Fixed inaccurate dependency and lockfile counts in Supply Chain pages.

๐Ÿค– Semgrep Assistantโ€‹

Addedโ€‹

  • You can now see rule and analysis explanations on the findingโ€™s Details page. When a finding is classified as a true or false positive, an alert appears, and a detailed explanation is available in the Finding description tab. For true positives, it includes code context and threat-model rationale; for false positives, it includes reasoning only.

Changedโ€‹

  • Assistant now automatically analyzes all new Critical and High severity findings with Medium or High confidence in full scans, removing the previous 10-issue limit.

Fixedโ€‹

  • Removed outdated warning text from the Assistant autofix.
  • Fixed an issue where agreeing with an auto-triage verdict incorrectly marked findings as ignored. Findings are now only auto-ignored when user assigns it as a False Positive.

๐Ÿ“ Documentation and knowledge baseโ€‹

Addedโ€‹

๐Ÿ”ง OSS Engineโ€‹

Addedโ€‹

  • The following versions of the OSS Engine were released in November 2025: