Skip to main content

    November 2022

    Semgrep Supply Chain

    Additions

    • Added Supply Chain support for requirements.txt lockfiles (requires requirement.in manifest files).
    • Added support for Yarn 2 and Yarn 3 lockfiles.

    Changes

    • Reachable Supply Chain findings no longer block pull requests when using semgrep ci. Note: Unreachable findings are non-blocking already.
    • Previously, Semgrep Supply Chain re-scanned projects automatically every week. Now, newly added projects to Semgrep Supply Chain that use GitHub Actions are by default re-scanned every day. This update only affects newly added projects.

    Semgrep App

    Additions

    • When you triage a finding, Semgrep App now displays a form that asks whether the finding was a False positive, Acceptable risk, or you had No time to fix. For more information, see Managing finding status. Screenshot of Semgrep App triage menu
    • When ignoring an individual finding, you can now ignore similar future findings by selecting one of the following options: Just this file, This directory, or Parent directory. These options specify which files and directories Semgrep App ignores. In addition, you can now remove a rule when you triage a single finding without having to go to the Rule board. To ignore a rule while triaging a finding, enable the Remove this rule from Rule board when triaging an individual finding. See Ignoring individual findings.

    Changes

    • The toggle to enable Autofix functionality has been moved from the project settings page to the global organization Settings page.
    • Previously, Semgrep App re-scanned projects automatically every week. Now, newly added projects to Semgrep App that use GitHub Actions are by default re-scanned every day. This update only affects newly added projects.
    • Many bug fixes and performance improvements were introduced to make your experience with Semgrep App much more pleasant.

    Semgrep CLI

    These release notes include upgrades for versions ranging between 0.120.0 and 0.123.0. Version 0.119.0 of Semgrep was intentionally skipped. Version 0.120.0 immediately follows version 0.118.0.

    Additions

    • DeepSemgrep: Added installation path for DeepSemgrep on M1 machines.
    • Fail gracefully and print an error message when running in unsupported Linux aarch64 or arm64 environment.

    Changes

    • taint-mode: Semgrep’s taint analysis now provides basic field sensitivity support. See Field sensitivity section for more details.

    Semgrep in CI

    Changes

    • Previously, Semgrep overrode user-defined environment variables with values it detected from the CI provider. Now, user-defined environment variables take precedence (override) Semgrep's detected values. By enabling you to override CI variables, you are able to troubleshoot issues such as hyperlinks to code in the Findings page and receiving comments in pull or merge requests.

      • This change affects the following CI providers:
        • Buildkite
        • CircleCI
      • This change affects the following variables:
        • SEMGREP_REPO_NAME
        • SEMGREP_REPO_URL
        • SEMGREP_BRANCH
        • SEMGREP_JOB_URL
        • SEMGREP_COMMIT

      Note: Previous month, this update already affected Azure Pipelines, Bitbucket Pipelines, Jenkins, and Travis CI.

    Documentation updates

    Additions

    General documentation additions

    Semgrep App

    • The Tagging projects document explains how to use tags in projects added to Semgrep App.

    Semgrep CLI

    Changes


    Not finding what you need in this doc? Ask questions in our Community Slack group, or see Support for other ways to get help.