Semgrep Product Updates

Teams need to know not just which dependencies are vulnerable, but how a vulnerable transitive package connects back to a direct dependency. Dependency path data is now available in two places: SBOM exports include the full dependency graph in the CycloneDX dependencies section, and the Issue API now shows which direct dependency introduced each vulnerable transitive package.

Teams building automations around Semgrep findings can now pass status=provisionally_ignored as a filter in the V1 API and get the corresponding findings back. Previously, the API returned all findings regardless of triage state.

A new self-service contributors report is available on the Usage & Billing page. It lists every contributor who made commits in the last 90 days, along with contributor identity, last contribution timestamp, and the associated repository. Previously, getting this data required opening a support ticket.

Semgrep Autofix, now in public beta, provides contextual remediation guidance, breaking change analysis, and AI-generated fix suggestions directly in pull requests.

For Semgrep Supply Chain findings, Upgrade Guidance identifies which dependency upgrades are safe and flags line-level breaking changes for complex ones. It combines first-party code analysis (how your code uses a package) with third-party code analysis (what changed between versions) via the Semgrep Pro engine, then sends results to an LLM to produce the final breaking change report. Where a safe upgrade exists, developers can generate a PR immediately.

For Semgrep Code findings, Autofix provides tailored fix suggestions using security context from Semgrep and your application's codebase. Fixes can also be triggered via API for fully automated remediation.

Read the announcement blog
Read the docs for Code and for Supply Chain

We're officially in the Cursor Plugin Marketplace. The Semgrep plugin bundles our MCP server, Hooks, and Skills to deliver SAST, supply chain, and secrets scanning on every file an agent touches.

📖 Read the announcement blog
⚡ Install the plugin today: quickstart docs

We’re excited to roll out improved workflows for the Semgrep Dashboard, designed with one specific goal in mind: helping AppSec teams make "Big Number Go Down." We know that efficient triage is the bottleneck that stands between a crowded backlog and a secure codebase, so we’ve optimized the interface to help you cut through the noise and fix what matters faster.

To walk you through these changes, Staff Product Manager Jack Moxon has recorded a deep dive into the new triage workflow. He covers the visual refresh, the new streamlined actions, and how these updates reduce friction between AppSec and Engineering.

Watch the walkthrough below:

Click to watch: Streamlining AppSec Triage with Jack Moxon

In light of the latest supply chain attacks, we're excited to announce that malicious dependency detection is now a generally available feature included in Semgrep Supply Chain.

For the GA version, we made the performance much faster even while adding tens of thousands more advisories for a grand total of 80,000 SCA rules. It’s also now available in the API, easily integrated with Policies to block malicious dependencies from getting introduced, and with Jira.

Read more about how malicious dependency detection helps protect against open source malware attacks

We're excited to announce that Semgrep Managed Scans is officially moving from Open Beta to GA!

SMS delivers comprehensive SAST, SCA, and Secrets scanning without any infrastructure costs or CI/CD complexity. Simply connect your repositories and we handle everything - weekly full scans plus real-time PR checks - all running on our infrastructure. With 1M+ weekly scans already running and proven ROI through reduced DevSecOps lift and faster remediation cycles, SMS is the easiest path to enterprise-grade security.

Read more about how SMS delivers impact without operational overhead on the Semgrep blog.

We’re excited to introduce the industry’s first reachability analysis for PHP, marking the 11th language with this capability. This is now in public beta for all Semgrep Supply Chain customers and includes support for critical severity CVEs published since 2017.

Semgrep Supply Chain now includes malicious dependency detection! This protects you from malware and credential theft, which are spread through attacks like dependency confusion and typosquatting. Over 31,000 new rules in the platform now generate critical findings whenever malicious dependencies are detected in your code. More information is available on the Semgrep blog.