August 2024
ยท 5 min read
The following updates were made to Semgrep in August 2024.
๐ Semgrep AppSec Platformโ
Addedโ
- A new primary branch feature is now generally available (GA)! This feature lets you set your repository's default branch; typically Semgrep deployments perform full scans only on default branches. Previously, Semgrep automatically detected primary branches through a list of common names, such as
main
ormaster
, but now you can set it to any unique name your organization may use, such asprod-1
. Read the documentation. - Semgrep Managed Scans and Semgrep in CI: You can now view logs of all scans by going to the project's Details page.
- Jira:
- Added multi-label support when creating Jira tickets. Use a comma to delineate labels.
- Added Jira ticket information to information returned from the Findings API.
- Added initial page state for Project > Details > Scans tab.
Changedโ
- Various improvements and updates to the Semgrep pricing page.
- Improvements to tooltips, help text, and icons in the Projects and Findings pages.
- Semgrep Managed Scans: Improved error messages to users when clicking Run a new scan from the Projects > Details page. Now you are better equipped to troubleshoot issues with managed scans.
- Updated the Buildkite CI configuration template.
- Code search: YAML is now validated in the search step and invalid YAML is caught when viewing results.
Fixedโ
- Jira: Fixed a bug which prevented error messages from appearing in tooltips when Jira tickets failed to be created. Now, you can see detailed error messages letting you know what went wrong when a Jira ticket is not successfully created through Semgrep.
- Fixed a regression in which clicking outside of the Findings page filter component did not clear all filters.
- Various copy edits to the Dashboard (beta) page.
- Fixed an issue in which untriaged findings could be marked as reopened when creating Jira tickets from the Finding details page.
- Fixed a bug in which the Dashboard did not display the correct number of findings.
๐ป Semgrep Codeโ
Addedโ
- Docker: Semgrep ellipses
...
are now allowed in patterns forHEALTHCHECK
commands. - Terraform: Added support for
.tfvars
files.
Changedโ
- Semgrep CLI's
--debug
flag no longer generates profiling information, including time and scan performance measurements. To obtain this information, use--time
.
Fixedโ
- Fixed an error with Julia list comprehensions. For example, the pattern
[$A for $B in $C]
matches[x for y in z]
and result in three bindings[$A/x,$B/y,$C/z]
instead of one[$A/x]
. - Fixed an issue resulting in deadlock when a scan has interfile analysis and tracing enabled and the number of subprocesses is greater than 1 (
j < 1
). - Fixed an issue where the number of files reported as scanned by Semgrep CLI was inflated due double-counting of generic and regex modes.
--debug
now generates fewer log entries. Additionally, when the number of ignored files, rules, or other entities is too large, Semgrep indicates this in the logs with<SKIPPED DATA>
to keep the output minimal.
โ๏ธ Semgrep Supply Chainโ
Addedโ
- You can now filter and view EPSS scores for your Supply Chain findings.
Changedโ
- The link to the Supply Chain findings page in Semgrep AppSec Platform filters to the specific repository and
ref
on which the findings are detected.
Fixedโ
- Fixed an issue where Supply Chain's Findings Detail pages weren't showing detailed error information.
๐ค Semgrep Assistantโ
Addedโ
- Assistant Memories is now in public beta. This feature allows you to tailor Assistant's remediation guidance to your organization's standards and defaults on a per-project, per-rule basis.
- Added the ability for you to use your own OpenAI API key instead of Semgrep's. This allows you to have complete control over how OpenAI handles your data.
- Added the ability to query for Assistant's remediation guidance via the Findings API.
๐ Semgrep Secretsโ
Changedโ
- The Secrets page in Semgrep AppSec Platform has been updated to match those for Semgrep Code and Semgrep Supply Chain.
- Secrets findings no longer display code snippets, even if the user has granted Semgrep code access.
- Secrets is no longer self-serve. To access Semgrep Secrets, you can contact your Semgrep account executive for a trial license.
Fixedโ
- Fixed an issue that caused files ignored by Semgrep Code, but not Semgrep Secrets, fail to be scanned by Semgrep Secrets.
๐ Documentation and knowledge baseโ
Addedโ
- Documentation for providing your own OpenAI API key for use with Semgrep Assistant.
- EPSS documentation.
- Sections for various source code manager additions, such as:
- Support for multiple GitHub Enterprise Server organizations.
- MR comments for multiple GitLab groups.
- Documentation specifying which features make use of the IP addresses that you must add to your allowlist when you deploy Semgrep.
Changedโ
- Various improvements to the Network broker documentation, such as:
- Improved logging guidance.
- Clarified variable names and placeholder values that users should replace.
- Various updates to Editor documentation as a whole.
- Various updates to Semgrep Assistant documentation.
- Updated Semgrep Supply Chain documentation to reflect the latest product UI/UX state.
Fixedโ
- Updated and fixed various broken links.
- Minor typographical fixes.
Removedโ
- Removed the Ticketing page; Semgrep supports Jira exclusively. Other ticketing integration betas have been closed. Semgrep may reopen beta programs for future ticketing integrations.