Skip to main content

November 2023 release notes

tip
  • Semgrep Pro Engine is now generally available (GA). Team tier users and above can use the Pro Engine to perform cross-file (interfile) and cross-function (intrafile) analyses. To enable Semgrep Pro Engine:
    1. Sign in to Semgrep Cloud Platform
    2. Click Settings.
    3. Click the Semgrep Pro Engine toggle.
  • See Semgrep Pro Engine documentation for more information.
  • The Semgrep command-line tool now requires Python 3.8 or later.

๐Ÿ”ง Semgrep OSS Engineโ€‹

note

Beginning with version 1.46.0, Semgrep is first released to:

  • pypy
  • brew
  • semgrep/semgrep:canary (Docker)

If no issues are detected after a few days, the Semgrep team then promotes the :canary Docker tag to :latest.

๐ŸŒ Semgrep Cloud Platformโ€‹

Addedโ€‹

  • Semgrep now records the languages using interfile analysis during a scan. This enables the Semgrep team to measure new Pro Engine languages' performance impact and error rates. For scans that don't send metrics, there is no change. See Semgrep Privacy Policy for more information.
  • Added a link to the SSO documentation to help users set up SSO.
  • CLI tool: Added --config code and --config secrets flags to the semgrep scan command. When using these flags, the environment variable SEMGREP_REPO_NAME must be set. For example,
    $ SEMGREP_REPO_NAME=test_repo semgrep --config secrets

Changedโ€‹

  • Elixir language support now requires the Pro Engine. To scan Elixir codebases, enable the Pro Engine.
  • The Semgrep CLI tool now correctly counts the rules run on a codebase. Previously, Semgrep counted the total rules in the user's Policies or rulesets, including rules that did not have valid targets and therefore, did not actually run.
  • Updated instances of returntocorp to Semgrep.
  • Semgrep Editor: Rules created in the editor are private by default. This means only members of your organization can view rules you have created. To create a private rule visible only to you (an individual), ensure that you create the rule in your individual account.
  • Improved error pages.
  • semgrep scan --config PRODUCT_NAMEย now uses the same endpoint as semgrep ciย to fetch the scan configuration. You must be logged in when using these commands. You can continue running `semgrep scan` without logging in by providing configuration such as --config auto.

Fixedโ€‹

  • API: Fixed an issue where the severities filter did not return the correct value.
  • CLI tool:
    • The --severity=[VALUE] option, which can be added to a semgrep scan command, has been fixed.
    • The --sarif flag no longer crashes when Semgrep itself encounters errors.
  • Semgrep now refuses to run incompatible versions of the Pro Engine, rather than crashing and returning a confusing error message.
  • Fixed an issue where the CI provider icons disappeared from the Scan new project in CI window. The icons now appear.
  • Implemented minor fixes for the new onboarding flow.

๐Ÿ’ป Semgrep Codeโ€‹

Changedโ€‹

  • Scanning timeout: The timeout per rule and per file has increased from 2 seconds to 5 seconds.

Fixedโ€‹

  • Findings page: Fixed an issue where filtering by repositories wasn't working.

โ›“๏ธ Semgrep Supply Chainโ€‹

Fixedโ€‹

  • Slack messages:
    • Improved readability of Semgrep Supply Chain messages by adding new lines between sections.
    • Fixed links that were not working.
  • Fixed out-of-bounds list access error in Cargo.lock parser.

๐Ÿ” Semgrep Secrets (beta)โ€‹

Addedโ€‹

  • Added an optionalย --no-secrets-validationย flag to skip secrets validation. To run a Secrets scan without validation, use the command semgrep ci --secrets --no-secrets-validation.
  • Secrets and Secrets details page: Added a ticket icon to quickly inform users if a ticket has been created for the finding.

Changedโ€‹

  • Semgrep Secrets now bypasses targets defined in .semgrepignore. This means that files not typically part of a SAST or SCA scan scope, such as configuration files, are now scanned by Semgrep Secrets. Broadening the scope of Semgrep Secrets scans means it is more likely to find leaked secrets.
    • Previously, Semgrep Secrets excluded targets from .semgrepignore. Your findings count may increase with this change.
    • You can still define exclusions from Secrets scanning. To exclude targets from Secrets scanning, define files or paths for exclusion in Semgrep Cloud Platform:
      1. Click Projects.
      2. Click the Project's icon.
      3. Add exclusions through the Path ignores text box.
    • In the future, Semgrep will enable users to define ignores based on the type of scan, whether SAST, SCA, or Secrets.

Fixedโ€‹

  • Fixed an issue where the Secrets page could freeze due to too many findings.
  • Fixed a bug where enabling the Secrets beta causes the default scan mode to be set to OSS Engine, even when the Pro flag is turned on in the web UI.
  • Metadata overrides specified in validators were incorrectly applied on top of one another (on a per-rule basis), so that only the last was applied. Each update is now correctly applied independently to each finding based on the rule's validators.

๐Ÿ“ Documentation and knowledge baseโ€‹

Addedโ€‹

Changedโ€‹

Fixedโ€‹

  • Minor corrections and updates to various articles.