Semgrep Product Updates

Semgrep Code now has cross-file support for Python! This includes 100+ Pro rules focusing on common web vulnerabilities, with coverage for Flask and several extensions like Flask-SQLAlchemy, Flask-WTForms, and more. Django and FastAPI coverage is coming soon!

The rules are in p/default and you should start to see new results in your next scan. If you'd like to see results on a local scan first, run $ semgrep login && semgrep ci --pro

Please don't hesitate to share any feedback you have on the results with your account team or one of our product managers!

We’re extremely excited to launch GA support for C and C++ in Semgrep Code! Our Pro Engine scans C/C++ projects in minutes, and doesn't require a build or compile step. To see all of the new Pro rules for C/C++, check out the registry.

Note that no changes have been made to C/C++ support in Semgrep OSS - the languages will stay experimental due to constraints with OSS engine capabilities.

If you have any questions regarding coverage or performance in comparison to other SAST solutions that scan C/C++, please reach out to your account team!

Semgrep now lets you filter by project tags. You can use this filter to only see issues associated with a subset of projects.

Note: we only list tags if they are associated with at least 1 project. If a tag is not showing up as an option, it’s most likely because it’s not yet linked to any particular project.

PS: there are more filtering capabilities on the horizon, so stay tuned!

You can now use anonymous metavariables when writing or customizing rules, which have the form $_. These metavariables do not bind in the environment, meaning they also do not unify. As such, patterns like:

foo($_, $_)

can match code like

foo(1, 2)

Happy rule writing!

Users can now select findings and use the "Analyze" button to run all Semgrep Assistant functions (autofix, autotriage, and component tagging) on the selected findings. Once the analysis is completed, users will see results if they:

filter by Fix/Ignore

filter by AI Component Tags

If they select "No Grouping" instead of "Group by Rule" they will see false positive or true positive recommendations directly in their findings.

Learn more

Semgrep Assistant (Semgrep’s AI integration) can now categorize and tag findings based on the component they are found in. Users can use these tags to prioritize findings (only show findings related to user authentication, PII, etc.).

Learn more

Learn more

Semgrep's VSCode extension (v1.6.2+) can run natively on Windows. Semgrep Platform uses LSP.js as a way of supporting Semgrep on Windows.

Learn more

Go, Java, Javascript, and Typescript’s interfile analysis support is now GA. All cross-functional analysis language support is now GA.

Learn more

Users can now scan C# projects with Semgrep Code’s Pro Engine, leveraging advanced interfile analysis to uncover more complex vulnerabilities while reducing noise.