Semgrep release notes for August 2024
๐ Semgrep AppSec Platformโ
Addedโ
- A new primary branch feature is now generally available (GA)! This feature lets you set your repository's default branch; typically Semgrep deployments perform full scans only on default branches. Previously, Semgrep automatically detected primary branches through a list of common names, such as
mainormaster, but now you can set it to any unique name your organization may use, such asprod-1. Read the documentation. - Semgrep Managed Scans and Semgrep in CI: You can now view logs of all scans by going to the project's Details page.
- Jira:
- Added multi-label support when creating Jira tickets. Use a comma to delineate labels.
- Added Jira ticket information to information returned from the Findings API.
- Added initial page state for Project > Details > Scans tab.
Changedโ
- Various improvements and updates to the Semgrep pricing page.
- Improvements to tooltips, help text, and icons in the Projects and Findings pages.
- Semgrep Managed Scans: Improved error messages to users when clicking Run a new scan from the Projects > Details page. Now you are better equipped to troubleshoot issues with managed scans.
- Updated the Buildkite CI configuration template.
- Code search: YAML is now validated in the search step and invalid YAML is caught when viewing results.
Fixedโ
- Jira: Fixed a bug which prevented error messages from appearing in tooltips when Jira tickets failed to be created. Now, you can see detailed error messages letting you know what went wrong when a Jira ticket is not successfully created through Semgrep.
- Fixed a regression in which clicking outside of the Findings page filter component did not clear all filters.
- Various copy edits to the Dashboard (beta) page.
- Fixed an issue in which untriaged findings could be marked as reopened when creating Jira tickets from the Finding details page.
- Fixed a bug in which the Dashboard did not display the correct number of findings.
๐ป Semgrep Codeโ
Addedโ
- Docker: Semgrep ellipses
...are now allowed in patterns forHEALTHCHECKcommands. - Terraform: Added support for
.tfvarsfiles.
Changedโ
- Semgrep CLI's
--debugflag no longer generates profiling information, including time and scan performance measurements. To obtain this information, use--time.
Fixedโ
- Fixed an error with Julia list comprehensions. For example, the pattern
[$A for $B in $C]matches[x for y in z]and result in three bindings[$A/x,$B/y,$C/z]instead of one[$A/x]. - Fixed an issue resulting in deadlock when a scan has interfile analysis and tracing enabled and the number of subprocesses is greater than 1 (
j < 1). - Fixed an issue where the number of files reported as scanned by Semgrep CLI was inflated due double-counting of generic and regex modes.
--debugnow generates fewer log entries. Additionally, when the number of ignored files, rules, or other entities is too large, Semgrep indicates this in the logs with<SKIPPED DATA>to keep the output minimal.
โ๏ธ Semgrep Supply Chainโ
Addedโ
- You can now filter and view EPSS scores for your Supply Chain findings.
Changedโ
- The link to the Supply Chain findings page in Semgrep AppSec Platform filters to the specific repository and
refon which the findings are detected.
Fixedโ
- Fixed an issue where Supply Chain's Findings Detail pages weren't showing detailed error information.
๐ค Semgrep Assistantโ
Addedโ
- Assistant Memories is now in public beta. This feature allows you to tailor Assistant's remediation guidance to your organization's standards and defaults on a per-project, per-rule basis.
- Added the ability for you to use your own OpenAI API key instead of Semgrep's. This allows you to have complete control over how OpenAI handles your data.
- Added the ability to query for Assistant's remediation guidance via the Findings API.
๐ Semgrep Secretsโ
Changedโ
- The Secrets page in Semgrep AppSec Platform has been updated to match those for Semgrep Code and Semgrep Supply Chain.
- Secrets findings no longer display code snippets, even if the user has granted Semgrep code access.
- Secrets is no longer self-serve. To access Semgrep Secrets, you can contact your Semgrep account executive for a trial license.
Fixedโ
- Fixed an issue that caused files ignored by Semgrep Code, but not Semgrep Secrets, fail to be scanned by Semgrep Secrets.
๐ Documentation and knowledge baseโ
Addedโ
- Documentation for providing your own OpenAI API key for use with Semgrep Assistant.
- EPSS documentation.
- Sections for various source code manager additions, such as:
- Support for multiple GitHub Enterprise Server organizations.
- MR comments for multiple GitLab groups.
- Documentation specifying which features make use of the IP addresses that you must add to your allowlist when you deploy Semgrep.
Changedโ
- Various improvements to the Network broker documentation, such as:
- Improved logging guidance.
- Clarified variable names and placeholder values that users should replace.
- Various updates to Editor documentation as a whole.
- Various updates to Semgrep Assistant documentation.
- Updated Semgrep Supply Chain documentation to reflect the latest product UI/UX state.
Fixedโ
- Updated and fixed various broken links.
- Minor typographical fixes.
Removedโ
- Removed the Ticketing page; Semgrep supports Jira exclusively. Other ticketing integration betas have been closed. Semgrep may reopen beta programs for future ticketing integrations.
๐ง OSS Engineโ
Not finding what you need in this doc? Ask questions in our Community Slack group, or see Support for other ways to get help.