Semgrep release notes for May 2024
๐ Semgrep AppSec Platformโ
Addedโ
- Semgrep managed scanning is now in public beta. It enables you to scan with Semgrep on any GitHub-hosted repository without the need to change existing CI/CD configurations.
Changedโ
- Improved the onboarding experience when scanning with Semgrep on a remote repository.
- Projects page: Improved the Can't find your project? tooltip with more troubleshooting advice.
- The Sync projects button has been moved to the Can't find your project tooltip.
- Improved Jira integration and workflow. Jira tickets can now be created for Supply Chain findings, and provide better ticket summaries and descriptions.
- The Jira integration is in a private beta. See the Jira documentation to learn how it works and how to gain access to the beta.
- Editor and Playground: various improvements to structure mode, including the addition of tooltips to aid in rule writing and bug fixes.
๐ป Semgrep Codeโ
Addedโ
- Code search is now in public beta. Code search allows you to test a Semgrep rule by running it against one or more GitHub repositories or projects instead of just a few lines of test code. Its results highlight all instances of matching code in those target repositories, allowing you to see whether your rule works as intended or not.
- Pro findings filter: when reviewing items on Semgrep AppSec Platform's Findings page, the Pro findings filter allows you to filter for:
- Findings identified using Semgrep Pro rules.
- Findings identified as a result of Pro Engine analysis, or interfile and interprocedural analysis.
Changedโ
- The sorting criteria used on Semgrep AppSec Platform's Findings has been updated to reflect the follow order:
- Severity
- Findings generated by custom rules
- Findings generated by Pro rules
- Issue count in descending order
- Findings ID in ascending order
Fixedโ
- When using
semgrep --test --json
to run tests against your rules and obtain the results in JSON format, Semgrep now reports the following issues to theconfig_missing_fixtests
field in the JSON output for all rules in a file (not just the first rule):- Rule files containing
fix:
without the corresponding.fixed
test file. - Rule files using
fix-regex:
without the corresponding.fixed
test file.
- Rule files containing
- Fixed an issue where Dockerfiles lacking a trailing newline character at the end of the file caused a segmentation fault.
- Fixed an issue with the improper handling of Unicode characters caused Semgrep to crash.
- Fixed an issue where interfile tainting missed a constant propagation phase, leading to the omission of true positives in some cases during interfile analysis.
- Fixed an issue where Semgrep ignored YAML tags instead of matching them correctly.
- Fixed an issue where findings identified in an earlier scan aren't marked as fixed when they no longer appear in later scans.
- Fixed an issue where patterns flagged as disabled were not disabled when switching from structure mode to advanced mode in the Semgrep Editor.
- CLI:
- When outputting Semgrep results in SARIF format, Semgrep now adds the security tag when CWE metadata is present in the rule.
- Fixed an issue where rules with
metavariable-type
do not show up in the SARIF output.
โ๏ธ Semgrep Supply Chainโ
Addedโ
- Added public Supply Chain APIs. Read the documentation.
- Added lockfile-only support for the Hex package manager for Elixir codebases.
Changedโ
- The Supply Chain UI has been improved for consistency across Semgrep products. With these changes, users are now able to easily manage SCA, SAST, and secret findings. The Supply Chain UI updates provide the following workflow improvements:
- Grouping vulnerabilities by rule
- Bulk triaging of findings
- Comprehensive filtering
- A unified API for findings across Semgrep Code and Semgrep Supply Chain
- The Supply Chain > Settings page has been renamed to License configuration.
Fixedโ
- Elixir: Fixed a bug in the
mix.lock
parser where it failed on a PythonNone
error and added a handler for arbitrary exceptions during lockfile processing. - Fixed an issue where upgrade-only SCA rules without patterns could not be validated.
๐ค Semgrep Assistantโ
Changedโ
- Autofix results older than six months are now re-analyzed and updated.
- Assistant displays guidance information on how to fix an issue, even if there is no autofix, or code, suggestion present.
Fixedโ
- Fixed issue with Assistant license check issue causing rate limiting errors.
- Fixed an issue where users couldn't toggle on Semgrep Assistant with only GitLab connected as the source code manager.
- Fixed an issue where findings that had been auto-triaged weren't analyzed, leading to lack of remediation guidance from Semgrep.
- Fixed an issue where Assistant suggested actions for findings that were ignored.
๐ Semgrep Secretsโ
Addedโ
- Added support for AWS validator syntax.
Changedโ
- CLI: The deprecated
--beta-testing-secrets-enabled
flag is removed. Use--secrets
instead.
Fixedโ
- Fixed an issue where the
--historical-secrets
flag was implemented as an option in the output formats group instead of the Pro options group, sometimes causing scans to fail.
๐ Documentation and knowledge baseโ
Addedโ
- Added the following new documents and sections:
- Added a Last updated widget to the docs.
Changedโ
- Major updates have been made to the following documentation:
- Updated how the docs are organized (minor changes).
- Various documentation presentation updates.
- Minor documentation updates.
Fixedโ
- Fixed an issue where the docs wouldn't display all the tags in the headings. The docs now consistently show tags, if any, at the beginning of the document.
๐ง Semgrep OSS Engineโ
The following versions of Semgrep OSS Engine were released in May 2024:
Not finding what you need in this doc? Ask questions in our Community Slack group, or see Support for other ways to get help.