Added a button to Remove source code manager (SCM) apps. This is helpful when you have a misconfigured SCM app, such as GitHub's semgrep-app, and want to reinstall it. To remove an SCM, click Settings > Source code managers.
Added Semgrep Assistant to the new Getting started guide in the onboarding flow.
OpenAPI: Renamed instances of r2c to Semgrep.
CLI login: New users are now directed to create a Semgrep org when they are logging in for the first time to Semgrep Cloud Platform from the CLI.
Speed and stability improvements across the product. Semgrep Code pages, such as Findings and Policies, now load faster.
Semgrep Assistant: Component tags are now visible for all Assistant users.
Component tags use GPT-4 to categorize a finding based on its function, such as:
Payments
User authentication
Infrastructure
By categorizing your code through component tags, Semgrep Assistant is able to help you prioritize high-risk issues, for example if Semgrep has detected a code finding related to payments or user authentication.
Added a new, public Semgrep Supply Chain API where you can filter and query third-party vulnerability findings by a variety of parameters, such as:
Severity
Repository
Exposure
C# reachability is now GA (generally available). Semgrep Supply Chain has added reachability rule support for all C# CVEs from May 2022 onward.
SBOM export: Add vulnerabilities enriched with reachability analysis to export SBOMs.
Dependency license scanning:
Added support for NuGet (C#) license detection.
Added support for RubyGems (Ruby) license detection.
Advisories: Added a tooltip displaying the date when a CVE Numbering Authority (CNA) created the security advisory. CVE Numbering Authorities include the MITRE Corporation. These dates are not assigned by Semgrep, Inc.
SBOM (software bill of materials) export: The name of the exported SBOM file now follows the following format: sbom-<org_name>-<repo_name>-<MM-DD-YY_H-m-s>--<serial_number>.<xml|json>
SBOM export: Fixed an issue where SBOM export failed when encountering dependencies with empty names.
Vulnerabilities page: Fixed an issue where triage states did not update until a page refresh. Triage states now update as the user performs a triage action.