Semgrep release notes for January 2025
๐ Semgrep AppSec Platformโ
- The Policy Management API is now generally available. The Policy Management API allows you to automate tasks such as:
- Add, update, and disable rules across multiple policies.
- Apply rules in different modes, such as monitor, comment, block, or disable, to align with security workflows.
- Integrate policy management into CI/CD pipelines to ensure consistent enforcement during software development.
- Semgrep Managed Scans:
- Managed scans for repositories hosted by Azure DevOps is now in public beta.
- GitHub users can turn on or off full scans and diff-aware scans for individual projects scanned by Semgrep Managed Scans.
- Jira: added the ability to map the Team information back to Semgrep.
- Org admins can now invite new users to Semgrep by email. Invited users receive an email with instructions on how to join the organization's Semgrep account.
- Added pagination to the Settings > Access > Members page, as well as the ability to search for members.
Changedโ
- The search bar in the Projects page now loads faster.
- Links to the Project Settings and Scans pages now use project IDs instead of project names. Existing links using project names continue to function normally.
Fixedโ
- Fixed an issue where commands not prefixed with
/semgrepor/weren't correctly handled. - Fixed an issue where reports generated by Semgrep AppSec Platform weren't correctly displaying the age of findings.
- Fixed an issue where the first page of Bitbucket Data Center repositories wasn't displayed.
- Fixed the formatting of Bitbucket Cloud PR comments.
๐ป Semgrep Codeโ
Addedโ
- Added support for lambdas (anonymous functions) as callbacks. This is supported for all languages that have lambdas.
var tainted = source();
function withCallback1(val, callback) {
if (val) {
callback(val);
}
}
withCallback1(tainted, function (val) {
sink(val); // finding !
});
Changedโ
- Removed pip from the Semgrep Docker image. If necessary, you can install it by running
apk add py3-pip.
Fixedโ
- The
semgrep testandsemgrep validatecommands have been correctly documented as EXPERIMENTAL insemgrep --help.- Those commands are not GA. It is recommended to use the
semgrep scan --testandsemgrep scan --validate.
- Those commands are not GA. It is recommended to use the
- Improve error handling for capabilities ancillary to a scan, such as looking for
nosemgrepcomments and rendering autofixes, to reduce the likelihood of an unexpected error in such a component causing the scan to error. - Fix the behavior of Semgrep when running into broken symlinks. If such a path is passed explicitly as a scanning root on the command line, it results in an error. Otherwise, if it's a file discovered while scanning the file system, it's a warning.
- Fixed an issue with crashes due to an exception in
lines_of_file. The code should now be more robust and not stop the whole scan when an out-of-bound line access happens duringnosemgrepanalysis or when displaying the lines of a match.
โ๏ธ Semgrep Supply Chainโ
Addedโ
- Dependency Paths are now available in public beta for the following languages and package managers:
- JavaScript: npm, pnpm, and yarn are supported.
- Python: Only Poetry is supported. Reach out to Semgrep Support to join the beta program.
- C#: Semgrep can now scan NuGet codebases without the need for a lockfile. This feature is in private beta. See also Scan a project without lockfiles. Reach out to support@semgrep.com to join the beta program.
- Semgrep now ingests CVE information from Electron release notes. This information is used to generate rules that can detect if you're affected by CVEs from this source.
Changedโ
- Semgrep Supply Chain Policies are now in public beta. Creating a policy enables you to:
- Customize when Semgrep sends a finding as a PR or MR comment or fails the CI job.
- Customize the projects and conditions that send a comment or fail a CI job.
Fixedโ
- Fixed bug where Supply Chain diff-aware scans of
package-lock.jsonv2 projects incorrectly produced non-new findings.
๐ค Semgrep Assistantโ
Addedโ
- Noise filtering is now in public beta. With Noise Filtering, Assistant evaluates each Semgrep Code finding to determine if it's a true positive using additional context and prevents a PR comment from being posted in the developer workflow if it's not.
- Auto-triage Memories is now in public beta. With this feature, you can identify findings that are safe to ignore and write triage notes indicating why this is so. Assistant then stores this information as a memory and uses it to assess whether similar findings are shown to developers in the future. Assistant also takes that memory, reanalyzes similar findings in your backlog, and suggests issues that may be safe to close.
๐ Documentation and knowledge baseโ
Addedโ
- Added the following new documents, articles, and sections:
- Set up Semgrep Managed Scans with Azure DevOps.
- Semgrep for developers, a new series of documents that aims to:
- Help AppSec engineers educate developers about Semgrep and secure coding.
- Inform developers of how to resolve Semgrep findings in various environments, such as their pull requests or merge requests.
- Semgrep Assistant metrics, which explains how Assistant's metrics and benchmarks are analyzed.
- SAML single-sign on with Google Workspace.
- Reference for Semgrepignore v2.
- Customize semgrep in
pre-commit.
- Minor additions and updates:
- Added instructions to remove projects scanned with Semgrep Managed Scans.
- Major updates have been made to the following documentation:
- Supported languages now provides a summary table for both Code and Supply Chain features for each language.
- Thanks to savq for their improvements to Semgrep's contributing documentation.
Changedโ
- Clarified language around manifest files and lockfiles.
- Updated Semgrep rules licensing documentation.
Removedโ
- Removed references to the asdf-semgrep plugin.
๐ง Semgrep Community Edition (CE)โ
Not finding what you need in this doc? Ask questions in our Community Slack group, or see Support for other ways to get help.