Expanded language coverage, new enterprise features, and more
This quarter, in addition to launching Semgrep Secrets, our team concentrated on two key areas:
Coverage: Support for all languages a modern engineering team uses is critical to avoid the need for multiple solutions. This is why we built a core analysis engine that is language agnostic to power all of our products, ensuring we can add coverage for languages/frameworks faster and more efficiently than competing platforms (since we can generalize many of the syntactic elements of a language).
Enterprise-fit: Being developer-loved on a per-team basis is only half of the battle. Security products must fit seamlessly into an enterprise's broader operational, compliance, and security frameworks if we are to help every developer play a more active role in securing their code.
These focus areas led to our latest suite of updates for Semgrep, reinforcing our commitment to meeting the needs of any engineering team at any organization.
C# support in Semgrep Code and Semgrep Supply Chain
Our latest update brings first-class support for C# in Semgrep Code (SAST) and Semgrep Supply Chain (SCA).
For Semgrep Supply Chain, this ensures that teams working with C# can now leverage reachability analysis, enabling them to prioritize and fix the dependency vulnerabilities that are actually reachable in their codebase.
For Semgrep Code, teams can now scan C# projects with Semgrep Code’s Pro Engine, leveraging advanced cross-file analysis to uncover more complex vulnerabilities while reducing noise.
Here’s an example C# rule that uses Pro Engine’s cross-file analysis:
C# Pro rule that finds vulnerabilities across files. See the full rule here in our registry (login to view).
Coverage updates for Swift, Rust, and Dart in Semgrep Code
To further our commitment to comprehensive language coverage, we are pleased to announce several improvements in our coverage for Swift, Rust, and Dart:
Swift support is now in Beta, reflecting our ongoing efforts to fine-tune and expand our coverage for mobile development languages.
Rust support has moved to GA.
Experimental support for Dart has been added, meaning Semgrep users can now write custom rules for Dart.
Explore all the rules in the Semgrep Rule Registry.
IntelliJ IDE plugin for Semgrep Code
In our quest to integrate seamlessly into developers' workflows, we are excited to introduce beta support for IntelliJ products in addition to our existing support of Visual Studio Code. Our blog post, SAST at the Speed of Linting, outlines why integrating Semgrep into the IDE can be super impactful, allowing developers to identify issues (for example, OWASP Top 10 vulnerabilities) as they code. We now support the following IntelliJ products:
AppCode, Aqua, CLion, DataSpell, DataGrip, GoLand, IntelliJ IDEA Ultimate, PhpStorm, PyCharm Professional, Rider, RubyMine, RustRover, WebStorm
SBOM export for Semgrep Supply Chain
Recognizing the growing importance of software bill of materials (SBOM) in the security space, Semgrep Supply Chain now supports SBOM exports. An executive order from the White House underscores the importance, now more than ever, of owning a holistic view of all your dependencies and associated vulnerabilities.
Semgrep Supply Chain supports the CycloneDX format, enriched with vulnerability data provided by Semgrep’s unique reachability analysis. Ultimately, this enables security engineers to provide auditors and legal teams with a dependency artifact, prove compliance, and stay secure.
An example SBOM, enriched with reachability data
Semgrep Assistant GitLab support
Semgrep Assistant makes it easy for developers to fix vulnerabilities. By leveraging GPT’s understanding of code, Semgrep Assistant accelerates triage and remediation by providing suggested fixes and identifying false positives.
With Assistant recommendations able to be surfaced as MR comments, we’ve now extended this capability to GitLab users in addition to GitHub users:
Example of Semgrep Assistant autofix recommendations in GitLab MR comments
More to come
At Semgrep, we want to help enterprises standardize on a single platform for application security without compromising on the findings quality or developer productivity that highly customized point solutions can offer.
This quarter's updates reflect good progress in our mission to provide best-in-class performance and an excellent experience (for both developers and security teams) across all three of our application security products.
Stay tuned to hear about additional updates to Semgrep that are in the works!
Semgrep is a fast, open-source, code scanning tool for finding bugs, detecting dependency vulnerabilities, and enforcing code standards.