September 2025

The following updates were made to Semgrep in September 2025.

🌐 Semgrep AppSec Platform

Added

• Added the ability to filter Secrets findings by branch.
• Added a confirmation pop-up when switching between the Production and Pre-production views.

Changed

• Jira: the Semgrep Jira integration now automatically creates Jira tickets for Semgrep Code and Semgrep Secrets findings with a critical severity level.

Fixed

• Jira: Team information now loads when the user attempts to map to the Team custom field.
• Supply Chain's Advisories filter now filters based on the correct field.
• Fixed the handling of invalid GitHub refresh tokens. If a user's GitHub refresh token is invalid, Semgrep prompts the user to log in again.
• Minor UI fixes.

💻 Semgrep Code

Added

• Added the semgrep mcp subcommand to the Semgrep CLI tool, which runs the Semgrep MCP server.
• Improved pre-filtering for taint rules, primarily when taint labels are used.
• Scala: Added support for method dispatching through traits.
• TypeScript: improved name resolution for destructuring parameters.

Changed

• The Semgrep MCP server repository has been moved from semgrep/mcp to semgrep/semgrep.
• Updated semgrep-interfaces to accept only valid language keys for rules in Semgrep Editor.
• Semgrep now filters SEMGREP_APP_TOKEN from any request made to non-Semgrep URLs passed to -f/-c/--config when fetching configurations and rules.
• Python: Fixed an issue involving the resolution of implicit namespace modules.
• TypeScript:
  • Fixed an issue where the pattern var $X = $FUNC($REQ, $RES, ...) {...} didn't parse correctly.
  • Improved the performance of tsconfig.json matching for TypeScript projects that contain multiple tsconfig.json files.

Fixed

• Glob patterns containing \# or \ in .semgrepignore and included .gitignore files are now interpreted correctly.
• Updated opentelemetry-* packages to remove pkg_resources is deprecated warnings.
• Dart: Fixed an issue in language processing to return better results.

⛓️ Semgrep Supply Chain

Added

• Supply Chain's reachability analysis now covers all high severity CVEs from supported sources starting from 2017 for JavaScript packages.

🔐 Semgrep Secrets

Added

• Slack notifications for Semgrep Secrets is now publicly available.

📝 Documentation and knowledge base

Added

• Added instructions for connecting Semgrep to GitHub Enterprise Cloud with data residency.
• Added the following knowledge base articles:
  • Why can't I access my Semgrep organization after logging in with GitHub?
  • Why are my projects showing a status of "Not yet started" after I enable Managed Scans?
  • Remove users from your Semgrep AppSec Platform organization

🔧 OSS Engine

• The following versions of the OSS Engine were released in September 2025:
  • 1.135.0
  • 1.136.0
  • 1.137.0
  • 1.138.0