April 2025
ยท 4 min read
The following updates were made to Semgrep in April 2025.
๐ Semgrep AppSec Platformโ
Addedโ
- Added the following information in the Semgrep API:
- Rule author information under the
registry_source
field in the Semgrep API. For example, if the source or author of the rule is Semgrep, the value returned issemgrep
. - CWE information.
- OWASP categories.
- Technology values, such as
bash
orcurl
.
- Rule author information under the
- Semgrep Managed Scans now run when a pull request or merge request is reopened.
Changedโ
- Jira labels can now support special characters.
Fixedโ
- Various fixes and improvements to Teams (role-based access control).
๐ป Semgrep Codeโ
Addedโ
- Added a new ruleset to detect unauthorized use of AI or LLM libraries, that is, the use of AI without going through security reviews or approval processes. This includes direct API calls, such as
api.openapi.com
,api.anthropic.com
and libraries in code such aslangchain
andtransformers
. See the Semgrep Shadow AI page to learn more.
โ๏ธ Semgrep Supply Chainโ
Addedโ
- SBOM export through the Semgrep API is now generally available.
- Malicious dependency detection is now in public beta. Semgrep enables you to block pull requests (PRs) or merge requests (MRs) introducing these dependencies. You can also filter for malicious dependency findings, which assists in identifying and removing these dependencies.
- Added support for PR comments warning users that they may be adding malicious dependencies.
- Upgrade guidance and click to fix are now in private beta for users with Python projects hosted by GitHub.com and with Semgrep Assistant enabled. With upgrade guidance and click to fix, Supply Chain analyzes your project to surface breaking changes that you must fix as part of a version upgrade. Semgrep AppSec Platform provides you with a one-click option that opens a pull request to:
- Upgrade the dependency to a safe version.
- Lets the developer know if the upgrade is safe or if there are breaking changes and what those changes are.
- Transitive reachability is now in private beta. For JavaScript projects, Semgrep reachability now extends to transitive dependencies.
Changedโ
- Increased the rate limit for SBOM exports through the Semgrep API.
- Improved Supply Chain PR comments by adding separate templates for conditionally reachable and always reachable findings, as well as manual review advice for conditionally reachable findings.
- Improved the user introduction to Supply Chain to focus on reachable findings.
- Improved the Supply Chain > Details page.
๐ค Semgrep Assistantโ
Addedโ
- Semgrep Assistant now attempts to create a memory during triage if possible. If Semgrep creates a memory, you'll see a dialog appear, indicating that this has happened, along with a link to the list of your organization's memories for review.
- Assistant Memories v2 is now in private beta:
- Managing memories in Semgrep AppSec Platform now occurs under Policies, not Settings.
- Semgrep AppSec Platform displays data on the scope and impact of memories, including the number of findings affected and which findings affected
- Assistant now provides suggested memories, which are those that Assistant has generated based on your past triage actions. You can view these memories at any time in Semgrep AppSec Platform by navigating to Rules & Policies > Assistant Memories > Suggested. For each suggestion, you can choose one of the following actions:
- Activate the suggested memory to inform Assistant's future advice.
- Edit the memory, then activate it.
- Delete the memory.
๐ Semgrep Secretsโ
Fixedโ
- Fixed an issue where Semgrep AppSec Platform didn't display the correct number of Secrets findings in the navigation bar.
๐ Documentation and knowledge baseโ
Addedโ
- Semgrep release notes are now available through RSS. You can subscribe to the:
- Added information about:
- Semgrep Assistant's model providers.
- Code security measures for managed scans.
- Supported languages for
metavariable-type
rules operator metavariable-name
operator.
Changedโ
- Minor updates to the Supported Languages documentation.
- Minor fixes to the following product features:
- Assistant auto-triage.
- Dataflow analysis in Semgrep AppSec Platform.
- Managed scans for Azure DevOps projects.
.semgrepignore
.
Fixedโ
- Minor typo fixes and UI updates.
๐ง OSS Engineโ
The following versions of the OSS Engine were released in April 2025: