Skip to main content

Semgrep release notes for August 2024

๐ŸŒ Semgrep AppSec Platformโ€‹

Addedโ€‹

  • A new primary branch feature is now generally available (GA)! This feature lets you set your repository's default branch; typically Semgrep deployments perform full scans only on default branches. Previously, Semgrep automatically detected primary branches through a list of common names, such as main or master, but now you can set it to any unique name your organization may use, such as prod-1. Read the documentation.
  • Semgrep Managed Scans and Semgrep in CI: You can now view logs of all scans by going to the project's Details page.
  • Jira:
    • Added multi-label support when creating Jira tickets. Use a comma to delineate labels.
    • Added Jira ticket information to information returned from the Findings API.
  • Added initial page state for Project > Details > Scans tab.

Changedโ€‹

  • Various improvements and updates to the Semgrep pricing page.
  • Improvements to tooltips, help text, and icons in the Projects and Findings pages.
  • Semgrep Managed Scans: Improved error messages to users when clicking Run a new scan from the Projects > Details page. Now you are better equipped to troubleshoot issues with managed scans.
  • Updated the Buildkite CI configuration template.
  • Code search: YAML is now validated in the search step and invalid YAML is caught when viewing results.

Fixedโ€‹

  • Jira: Fixed a bug which prevented error messages from appearing in tooltips when Jira tickets failed to be created. Now, you can see detailed error messages letting you know what went wrong when a Jira ticket is not successfully created through Semgrep.
  • Fixed a regression in which clicking outside of the Findings page filter component did not clear all filters.
  • Various copy edits to the Dashboard (beta) page.
  • Fixed an issue in which untriaged findings could be marked as reopened when creating Jira tickets from the Finding details page.
  • Fixed a bug in which the Dashboard did not display the correct number of findings.

๐Ÿ’ป Semgrep Codeโ€‹

Addedโ€‹

  • Docker: Semgrep ellipses ... are now allowed in patterns for HEALTHCHECK commands.
  • Terraform: Added support for .tfvars files.

Changedโ€‹

  • Semgrep CLI's --debug flag no longer generates profiling information, including time and scan performance measurements. To obtain this information, use --time.

Fixedโ€‹

  • Fixed an error with Julia list comprehensions. For example, the pattern [$A for $B in $C] matches [x for y in z] and result in three bindings [$A/x,$B/y,$C/z] instead of one [$A/x].
  • Fixed an issue resulting in deadlock when a scan has interfile analysis and tracing enabled and the number of subprocesses is greater than 1 (j < 1).
  • Fixed an issue where the number of files reported as scanned by Semgrep CLI was inflated due double-counting of generic and regex modes.
  • --debug now generates fewer log entries. Additionally, when the number of ignored files, rules, or other entities is too large, Semgrep indicates this in the logs with <SKIPPED DATA> to keep the output minimal.

โ›“๏ธ Semgrep Supply Chainโ€‹

Addedโ€‹

  • You can now filter and view EPSS scores for your Supply Chain findings.

Changedโ€‹

  • The link to the Supply Chain findings page in Semgrep AppSec Platform filters to the specific repository and ref on which the findings are detected.

Fixedโ€‹

  • Fixed an issue where Supply Chain's Findings Detail pages weren't showing detailed error information.

๐Ÿค– Semgrep Assistantโ€‹

Addedโ€‹

  • Assistant Memories is now in public beta. This feature allows you to tailor Assistant's remediation guidance to your organization's standards and defaults on a per-project, per-rule basis.
  • Added the ability for you to use your own OpenAI API key instead of Semgrep's. This allows you to have complete control over how OpenAI handles your data.
  • Added the ability to query for Assistant's remediation guidance via the Findings API.

๐Ÿ” Semgrep Secretsโ€‹

Changedโ€‹

  • The Secrets page in Semgrep AppSec Platform has been updated to match those for Semgrep Code and Semgrep Supply Chain.
  • Secrets findings no longer display code snippets, even if the user has granted Semgrep code access.
  • Secrets is no longer self-serve. To access Semgrep Secrets, you can contact your Semgrep account executive for a trial license.

Fixedโ€‹

  • Fixed an issue that caused files ignored by Semgrep Code, but not Semgrep Secrets, fail to be scanned by Semgrep Secrets.

๐Ÿ“ Documentation and knowledge baseโ€‹

Addedโ€‹

  • Documentation for providing your own OpenAI API key for use with Semgrep Assistant.
  • EPSS documentation.
  • Sections for various source code manager additions, such as:
    • Support for multiple GitHub Enterprise Server organizations.
    • MR comments for multiple GitLab groups.
  • Documentation specifying which features make use of the IP addresses that you must add to your allowlist when you deploy Semgrep.

Changedโ€‹

  • Various improvements to the Network broker documentation, such as:
    • Improved logging guidance.
    • Clarified variable names and placeholder values that users should replace.
  • Various updates to Editor documentation as a whole.
  • Various updates to Semgrep Assistant documentation.
  • Updated Semgrep Supply Chain documentation to reflect the latest product UI/UX state.

Fixedโ€‹

  • Updated and fixed various broken links.
  • Minor typographical fixes.

Removedโ€‹

  • Removed the Ticketing page; Semgrep supports Jira exclusively. Other ticketing integration betas have been closed. Semgrep may reopen beta programs for future ticketing integrations.

๐Ÿ”ง OSS Engineโ€‹

Not finding what you need in this doc? Ask questions in our Community Slack group, or see Support for other ways to get help.