Skip to main content

Semgrep release notes for December 2023

๐Ÿ”ง OSS Engineโ€‹

๐ŸŒ Cloud Platformโ€‹

Addedโ€‹

  • Semgrep IDE integrations now cache information about the current repository so that it doesn't traverse the entire repository on every scan to determine if the files are valid targets for scanning; this improves scan times.
  • Users can now ignore findings locally in Semgrep IDE extensions. The changes persist between restarts, though they're not reported back to Semgrep Cloud Platform and don't affect the remote repository or other users. Note that these findings are still detected when Semgrep scans your code, typically when opening a pull request or merge request.
  • The metrics collected now include more granular information to help differentiate scans using different engine capabilities, such as intraprocedural scans without secrets validation versus intraprocedural scans with secrets validation.
  • CLI tool: Added new semgrep test subcommand, which is an alias for semgrep scan --test. Note: If the name of the directory you are scanning is test, use semgrep scan test to avoid confusion with the new semgrep test subcommand.

Changedโ€‹

  • OCaml: Switched to a tree-sitter-based parser instead of the Menhir parser.
  • Rust: Updated the parser used for Rust.

Fixedโ€‹

  • Fixed an issue where webhooks stopped working.
  • Fixed an issue so that clicking Start Tour now restarts the Getting Started tutorial.
  • Fixed an issue where the Members page doesn't display a user's new role until the page reloads.
  • Fixed an issue where users switching organizations would result in a 404.
  • Fixed the Connect to button under Settings > Source Code Managers so that it displays correctly based on whether the user can connect to a source code manager.
  • CLI tool: Updated CLI error message to clarify that users should log in before running either:
    • semgrep ci
    • semgrep scan --config

๐Ÿ’ป Codeโ€‹

Fixedโ€‹

  • Fixed an issue where Semgrep Code findings marked as fixed can be triaged through the rule group. Once a finding is fixed, its triage status can't be changed back to ignored.
  • Fixed an issue where the rule information card and the rule preview are missing for older findings; all findings now display this information.
  • Fixed an issue where the finding's severity displayed doesn't match the rule's severity once the rule has been updated.

โ›“๏ธ Semgrep Supply Chainโ€‹

Changedโ€‹

  • Fixed an issue where empty tables in pyproject.toml files would fail to parse.

๐Ÿค– Assistant (beta)โ€‹

Addedโ€‹

  • Added the Analyze button to Semgrep Cloud Platform's Code page, which triggers all Assistant functions on selected findings, including autofix, autotriage, and component tagging. After Assistant performs these functions, users can see their results if they filter for findings based on Recommendation or by Component. Additionally, users who choose No Grouping instead of Group by Rule see false positive and true positive recommendations when viewing their finding details pages.

๐Ÿ” Secrets (beta)โ€‹

Addedโ€‹

  • Added support for custom validator rules, which can be written using Semgrep's Rules Editor and run using semgrep ci --allow-untrusted-validators. Note that custom validator rules are private and can't be shared to Semgrep Registry.

Fixedโ€‹

  • Fixed an issue where the Ignore button doesn't work when triaging Secrets.

๐Ÿ“ Documentation and knowledge baseโ€‹

Addedโ€‹

Changedโ€‹

  • Updated overview articles for Semgrep Code and Semgrep Supply Chain.
  • Updated documentation on setting up pull request or merge request comments for GitHub, GitLab, and Bitbucket users.
  • General improvements to API docs, including clarification of usage instructions for Supply Chain and Secrets endpoints.

Fixedโ€‹

  • Minor corrections and updates to various articles.