Skip to main content

April 2026

ยท 8 min read

The following updates were made to Semgrep in April 2026.

๐ŸŒ Semgrep AppSec Platformโ€‹

Addedโ€‹

  • Added a prompt for users to log in with their corporate SSO credentials instead of their GitHub or GitLab credentials when their organization has corporate SSO configured.
  • Added workflow execution usage information to the AI credits dashboard so users can see workflow runs alongside scans, triage actions, and fixes.
  • Added the ability to download contributor usage information from Settings > Usage & Billing.
  • Added AI-powered detection findings to the findings API endpoint (GET /api/v1/deployments/{slug}/findings).
  • Added Jira ticketing support for AI-powered detection findings.
  • Added the ability to manually run full scans for the non-default or non-primary branches using Semgrep Managed Scans.
  • Added the ability to retry Semgrep Managed Scans that failed or didn't complete.
  • Semgrep Guardian: added support for a Supply Chain hook.

Changedโ€‹

  • The interfile analysis engine has been redesigned to improve performance. These improvements change how findings are generated, which might result in additional true positives and fewer false positives.
  • Contributor seat limit alerts now explain that scans continue as a courtesy when an organization exceeds its seat limit, replacing the previous inaccurate "scans will be paused" text.
  • Removed the Fixed in time filter option from all Findings pages.
  • The Projects list now includes Semgrep Managed Scans that are pending or have never started scanning.
  • Semgrep Playground is now mobile-friendly.

Fixedโ€‹

  • Fixed an issue where invalid configurations caused the Integrations page to not load. Semgrep now displays a meaningful error and allows users to edit or delete the configuration.
  • Fixed an issue where Semgrep did not save changes when Gradle or Maven registry integration credentials were updated.
  • Fixed an issue where the Settings > Usage panel incorrectly showed a subset of seats when a deployment had multiple active licenses for the same product instead of the correct combined total.
  • Fixed an issue where the Remove user from organization button was available to Managers, allowing them to remove Admin users.
  • Fixed an issue where read-only users could upload CLI scan results and overwrite findings by setting SEMGREP_REPO_DISPLAY_NAME. CLI scan endpoints now enforce scan permissions.
  • Fixed an issue where CSV findings exports failed with IndexError: list index out of range for some users when a paginated batch returned an empty list.
  • Fixed the repos filter on the findings and issues API endpoints to use case-insensitive matching.
  • Fixed an issue where the provisionally ignored filter for the public findings API endpoints returned all findings.
  • Fixed an issue where the Jira integration failed to load for deployments that saved their Jira configuration before support for AI-detection findings was added.
  • Fixed an issue with the SARIF trace output for taint mode so that it now uses the correct file URI and includes the sink call trace in codeFlows.
  • IDE: fixed an issue where network errors occurring during token verification resulted in saved tokens being cleared.
  • Minor UI fixes.

๐Ÿ’ป Semgrep Codeโ€‹

Addedโ€‹

  • The finding details page now displays the reason why a finding was ignored at the top. Users no longer need to go to the Activity section to see this information.
  • Added the findings count and a link to view findings to the AI-powered detection scan progress timeline.
  • Added AI-powered detection findings to the Findings CSV export file.
  • Improved support for variadic functions in taint-tracking mode.
  • Scala: added tree-sitter parser to improve parsing accuracy.

Fixedโ€‹

  • Fixed an issue where the AI-powered detection scan time estimate was overinflated.
  • Fixed an issue where Autofix wasn't able to create a GitHub pull request due to the Semgrep GitHub app requesting insufficient permissions.
  • Fixed an issue where Autofix features were unavailable to organization members, as well as admins.
  • Fixed an issue where Autofix displayed a suggested fix for Supply Chain findings. Autofix is only applicable to Code findings.
  • Fixed an issue where Autofix errored out when attempting to open pull requests for Azure DevOps repositories. Semgrep now rejects these requests since Azure DevOps isn't supported.
  • Fixed an issue where Autofix errored out when handling requests involving archived repositories. Semgrep now rejects these requests and displays an error message accordingly.
  • Fixed an issue where some GitHub Enterprise users stopped seeing Autofix pull requests.
  • Fixed an issue where provisionally ignored findings couldn't be triaged without a comment provided.
  • Fixed Autofix pull request descriptions so that they properly display the user's GitHub username.
  • Fixed an issue with GitHub App permission checks, which had been using app manifest permissions, or what the app declares, instead of installation-level permissions, or what was actually granted, causing the Autofix button to be incorrectly hidden or shown.
  • Fixed performance issues during the parsing of Semgrep rules containing non-BMP Unicode characters
  • Scala:
    • Fixed an issue with trait parameters in versions 3.4.x and later so that they are now parsed correctly.
    • Fixed an issue where Semgrep failed silently instead of returning an error when target file discovery fails.

โ›“๏ธ Semgrep Supply Chainโ€‹

Addedโ€‹

  • Added reachability coverage for Rust.
  • Supply Chain advisories now have dedicated detail pages, replacing the previously used drawers.
  • Added dependency path information to the SBOM exports and the Issues API endpoint.

Fixedโ€‹

  • Fixed an issue with legacy Supply Chain findings URLs that resulted in the findings page showing zero results.
  • Fixed the Dependencies filter on the Findings page so that exact matches rank above all other matches.
  • Fixed the advisory ID search so that it is case-insensitive.
  • Fixed an issue where the Autofix API endpoints accepted pull requests for issues that were already fixed, removed, or ignored.

๐Ÿค– Semgrep Multimodalโ€‹

Addedโ€‹

  • Added IAM role-assumption authentication mode for AWS Bedrock BYOK. In addition to static access keys, users can now configure an IAM role ARN and grant Semgrep cross-account access using the generated external ID.

Changedโ€‹

  • Findings of critical or high severity with high or medium confidence identified during diff-aware scans are now included in autotriage analysis.
  • The memory creation dialog now prompts users to create specific, named memories, such as "ConfigService is an internal backend service" rather than generic, conditional memories.

Fixedโ€‹

  • Fixed an issue with pull request comment URL construction for tag-scoped and deployment-wide memories that previously resulted in no pull request comments being posted.

๐Ÿ”ง Semgrep Community Editionโ€‹