July 2025

The following updates were made to Semgrep in July 2025.

🌐 Semgrep AppSec Platform

Added

• Support for running Semgrep natively on Windows is now in public beta. This applies to running Semgrep through the CLI and an IDE such as Cursor, VS Code, and IntelliJ.
• Semgrep now includes a link to the GitHub pull request (PR) on the finding details page if you link a Semgrep finding in the PR you create.
• By default, diff-aware managed scans now have fail open enabled in the event a scan errors out or takes too long. This means that diff-aware scans are marked as successful on the pull request (PR) or merge request (MR), even if they haven't completed after the specified timeout, allowing you to make the Semgrep status check required in your source code manager (SCM) while not blocking someone from merging a PR or MR if the check encounters an unexpected issue or takes too long.

Changed

• General UI improvements, including style fixes.

Fixed

• Fixed an issue where you couldn't add a connection to GitHub Enterprise without an access token.

💻 Semgrep Code

Added

• Semgrep now prints warnings for each paths.include and paths.exclude pattern found in rules that Semgrep considers ambiguous.
  • Example: a pattern containing a middle slash, such as src/*.c, is considered floating, or unanchored. To comply with gitignore and semgrepignore specifications, src/*.c must be treated as anchored. Semgrep prints a warning asking the user to resolve any ambiguity if it exists. The user is asked to change the src/*.c pattern to either /src/*.c, anchored, or **/src/*.c, floating. HTTP{,S}_PROXY=... now accepts URIs without a scheme, such as HTTP_PROXY=domain.com:port.

Fixed

• Fixed an issue where some diff-aware scans on shallow clones would use the incorrect merge base, resulting in a scan on commits not a part of the pull request. This is because Semgrep now considers the specific merge base to use when performing diff-aware scans.
• Fixed an issue where an empty file would sometimes be created in place of a missing input file.
• Fixed an issue where log files weren't succinct and introduced mid-entry newlines that broke log-parsing tools.
• Fixed an issue where the sign in command didn't work.
• Fixed an issue where CiScanComplete.dependencies were populated with unparsed dependencies.
• Fixed an issue where error details weren't printed when an SemgrepError exception caused semgrep to fail.
• Semgrep now prints an error message and exits instead of silently exiting with code 2 when you run semgrep scan in a Docker container without an argument, and there's no target project mounted under /src.
• Fixed an issue where a Unix.Unix_error would occasionally crash the experimental language server on startup.
• Fixed an issue where scans of large repositories in debug mode resulted in overly large logs.
• Path filters, such as paths.exclude and paths.include in rules, now apply to normalized file paths relative to the project rule. This makes rule selection independent of the current work folder.
• Patterns with a leading slash, such as /src, are now anchored instead of floating. For example, exclude: [ "/src" ] excludes the target file src/main.c, but not misc/src/main.c
• Java: deprecated the class $A partial class pattern in favor of class $A { ... }.
• Python: Fixed an issue where the Python parser didn't correctly parse and handle valid structural dictionary patterns.

⛓️ Semgrep Supply Chain

Added

• Supply Chain support for PHP reachability analysis is now generally available (GA).
• You can now use the Upgrade guidance filter to look for findings based on whether upgrading to the dependency that remediates the vulnerability introduces breaking changes or not.
• Beginning with Semgrep v1.127.0, uv is a supported package manager for Dependency Paths. This means that uv is a supported package manager across all Supply Chain features.

🤖 Semgrep Assistant

Added

• You can now see which memories were used by Assistant when it generated remediation guidance for a specific finding. Semgrep displays this information on the finding details page.

🔐 Semgrep Secrets

Added

• Added the ability to send Slack notifications for Secrets findings.
• Semgrep now makes up to three attempts when validating Amazon Web Services (AWS) credentials that failed due to possibly transient reasons.

📝 Documentation and knowledge base

Added

• Added the following knowledge base articles:
  • Learn how to search for, filter for, and sort findings in Semgrep AppSec Platform
  • Learn how to automate private rules deployment using the Semgrep API
  • Learn why the count of findings differs across various pages in Semgrep AppSec Platform

Fixed

• Minor fixes, including fixes to broken link anchors.

🔧 OSS Engine

• The following versions of the OSS Engine were released in July 2025:
  • 1.131.0
  • 1.130.0
  • 1.128.0