Skip to main content

October 2025

ยท 3 min read

The following updates were made to Semgrep in October 2025.

๐ŸŒ Semgrep AppSec Platformโ€‹

Addedโ€‹

  • Semgrep Managed Scanning is now generally available. With Managed Scans, you can add repositories to your Semgrep organization in bulk without changing your existing CI workflows, and integrate Semgrep into developer workflows through PR or MR comments.
  • Added a Remember my email checkbox to the SSO login page.
  • Added the ability to change the name of Teams.
  • The Semgrep CLI is now compatible with machines running Python 3.14.

Changedโ€‹

  • The Scan details page now updates the URL with a permalink for easier sharing when viewed.
  • Semgrep's Docker image base has been upgraded from Alpine Linux 3.21 to 3.22.
  • semgrep/semgrep images now ship with Go 1.24.
  • Improved performance by preventing unnecessary data fetches when scan details arenโ€™t needed.

Fixedโ€‹

  • Fixed an issue where filtering findings using project tags doesn't return results.
  • Invalid CLI tokens now produce a clear error instead of a malformed success message.

๐Ÿ’ป Semgrep Codeโ€‹

Addedโ€‹

  • Semgrep Code findings now show Assistant's true or false positive analyses more prominently, along with which memories Assisted used during analysis. The findings also present the threat model for specific security issues in the context of the code, along with a summary of each issue.
  • The /setup_semgrep_mcp command now supports Claude Code.

Changedโ€‹

  • Temporary files created for rule checks are cleaned up after scans.
  • The rule validation check now includes a language check to ensure that only valid languages are used, preventing invalid rules from being added to policies.

Fixedโ€‹

  • Fixed an issue where some scans terminated with exit code 7.
  • MCP:
    • Fixed tool calls failing for some models, such as GPT-5.
    • Fixed a bug where resource closure errors occurred when trying to use the MCP with the streamable-http transport method.

โ›“๏ธ Semgrep Supply Chainโ€‹

Addedโ€‹

  • Supply Chain's reachability analysis now covers all high-severity CVEs from supported sources starting from 2017 for Go packages.

Fixedโ€‹

  • Supply Chain subproject resolution table is now shown in the CLI output after a scan, even when no subprojects were successfully resolved.
  • UV lockfiles that include editable and local dependencies without versions are now parsed correctly. The unversioned dependencies are ignored.
  • Failures to parse UV lockfiles are now correctly reported as Failed rather than Unsupported.

๐Ÿค– Semgrep Assistantโ€‹

Addedโ€‹

  • Added a new filter for AI component tags with No decision, allowing users to find findings analyzed by the Assistant, but not classified as low or high risk.

Changedโ€‹

  • Assistant's rule generation functionality in Semgrep AppSec Platform has been deprecated.

๐Ÿ”ง OSS Engineโ€‹