Semgrep Product Updates Feed https://semgrep.dev We're a startup passionate about improving software security and reliability. en-us 2024-12-12T21:06:36+00:00 <![CDATA[Run Semgrep Assistant on selected findings (auto-triage, auto-fix, component tagging)]]> https://semgrep.dev/products/product-updates/single/320fd8b0-2eae-412a-a51b-db580b453f1d Users can now select findings and use the "Analyze" button to run all Semgrep Assistant functions (autofix, autotriage, and component tagging) on the selected findings. Once the analysis is completed, users will see results if they:

filter by Fix/Ignore

filter by AI Component Tags

If they select "No Grouping" instead of "Group by Rule" they will see false positive or true positive recommendations directly in their findings.

Learn more

]]>
<![CDATA[Announcing framework-native analysis for Django, Flask, and FastAPI in Semgrep Code (Python)]]> https://semgrep.dev/products/product-updates/single/announcing-framework-native-analysis-for-django-flask-and-fastapi-in-semgrep-code-python We’ve supercharged Semgrep Code’s Python support with new, framework-specific analysis capabilities. The engine now tracks implicit data flows in popular frameworks like Django, FastAPI, and Flask, providing accurate detection of impactful security issues (OWASP Top Ten) for nearly 100 common Python libraries.

For most SAST products, framework coverage starts and ends with rule support. Semgrep Code now has framework-specific analysis capabilities built into the engine, meaning it can reason about Python source code in the context of specific frameworks. This ensures that implicit flows are captured and analyzed effectively.

As a result, benchmarks show an 84% true positive rate for our updated Python support. For benchmark details, or to learn more about our new framework coverage in Python, read the announcement blog!

]]>
<![CDATA[Support for anonymous metavariables (rule-writing and syntax)]]> https://semgrep.dev/products/product-updates/single/anonymous-metavariables You can now use anonymous metavariables when writing or customizing rules, which have the form $_. These metavariables do not bind in the environment, meaning they also do not unify. As such, patterns like:

foo($_, $_)

can match code like

foo(1, 2)

Happy rule writing!

]]>
<![CDATA[Bitbucket Data Center and Azure DevOps SCM Support]]> https://semgrep.dev/products/product-updates/single/bitbucket-and-azure-devops-scm-support We've launched SCM support for Azure Devops Cloud (ADOC) and Bitbucket Data Center (BBDC)!

Users can now self-serve these SCMs by navigating to Settings > SCM and clicking the corresponding button. Users can also test the connection to ensure it has been set up correctly.

What features are supported?

  • PR Comments (Semgrep Code)

    • We’ve introduced Semgrep Code PR comments for both Azure DevOps Cloud and Bitbucket Data Center

    • This includes both inline comments and unanchored comments for individual and grouped findings, respectively.

  • PR Comments (Semgrep Supply Chain - license violations)

    • These are now available for both Azure DevOps and Bitbucket Data Center, ensuring developers will always use compliant dependencies.

  • Hyperlinks in the findings UI

    • Finding hyperlinks for both Azure DevOps and Bitbucket Data Center work across all parts of the findings UI (commit URL, branch URL, line of code URL, etc.).

    • The findings experience for both ADOC and BBDC are now at parity with other supported SCMs.

]]>
<![CDATA[C# and PHP support]]> https://semgrep.dev/products/product-updates/single/c-and-php-support Semgrep Supply Chain can now find reachable vulnerabilities in C# dependencies. Along with C#, we also added lockfile-only support for PHP. Semgrep Supply Chain now supports C#, Go, Java, JavaScript, PHP, Python, Rust, and Ruby.

]]>
<![CDATA[C/C++ support in Semgrep Code is now GA]]> https://semgrep.dev/products/product-updates/single/c-support We’re extremely excited to launch GA support for C and C++ in Semgrep Code! Our Pro Engine scans C/C++ projects in minutes, and doesn't require a build or compile step. To see all of the new Pro rules for C/C++, check out the registry.

Note that no changes have been made to C/C++ support in Semgrep OSS - the languages will stay experimental due to constraints with OSS engine capabilities.

If you have any questions regarding coverage or performance in comparison to other SAST solutions that scan C/C++, please reach out to your account team!

]]>
<![CDATA[Interfile analysis in PR/MR comments]]> https://semgrep.dev/products/product-updates/single/cross-file-analysis-in-pr-comments diff scans, which keeps the scan times fast (<5 minutes) and improves result quality for customers. Cross-file analysis can reduce false positives and find new vulnerabilities.

Learn more

]]>
<![CDATA[All scans in Semgrep Code now use Pro Engine (cross-function analysis + Pro-only languages)]]> https://semgrep.dev/products/product-updates/single/cross-function-on-all-scans We're happy to announce that all Semgrep Code scans will now use Pro Engine (cross-function analysis + Pro-only languages).

This improved analysis and coverage comes with no performance/speed cost, which is why we're making it the default scan type! You may notice new findings after your next scan due to the increased scope of analysis.

Since all scans now run with cross-function analysis, the "Pro Engine" toggle in settings is now a toggle for cross-file analysis (which is still optional due to the potential impact on scan speeds):

Cross-file toggle

]]>
<![CDATA[Users can now write custom secrets rules with validation]]> https://semgrep.dev/products/product-updates/single/custom-validators Customers can now write their own rules for Semgrep Secrets! These rules can detect and validate secrets associated with internal services, services with custom subdomains, or services not yet supported by Semgrep.

To learn more, read the announcement post where we go through an example of how easy it is to write a custom secrets rule and add it to a Semgrep policy.

Note that Semgrep Secrets supports validation out-of-the-box and comes with validator rules for many common services - this update allows users to write their own custom validator rules for internal services, services with custom subdomains, etc.

]]>
<![CDATA[Filter findings by components (user authentication, PII, etc.) using Semgrep Assistant]]> https://semgrep.dev/products/product-updates/single/filter-by-high-risk-components Semgrep Assistant (Semgrep’s AI integration) can now categorize and tag findings based on the component they are found in. Users can use these tags to prioritize findings (only show findings related to user authentication, PII, etc.).

Learn more

]]>
<![CDATA[Filter projects by name and last scan time ]]> https://semgrep.dev/products/product-updates/single/filter-by-project-name-and-last-scan-time You can now sort projects by name and last scan time on the projects page. This gives teams more visibility into scans and coverage across repositories (particularly for organizations using Semgrep managed scanning) so they can better troubleshoot failing scans or just get an overview of scan cadence.

Note that scans that were never completed currently appear before the latest scans - in a future update these projects will at the bottom of the list.

Project filters

]]>
<![CDATA[Filter reporting metrics by team]]> https://semgrep.dev/products/product-updates/single/filter-reporting-metrics-by-team Customers will now be able to see a "Teams" filter on the reporting page under "Filters". There is a new RBAC setting (on by default) that only shows users reporting data from the teams that they are part of, and a new multi-select filter allows users to select which of their teams to include.

Admins will of course have access to all teams.

Happy scanning!

]]>
<![CDATA[Interfile analysis GA support for multiple languages]]> https://semgrep.dev/products/product-updates/single/ga-support-for-multiple-languages Go, Java, Javascript, and Typescript’s interfile analysis support is now GA. All cross-functional analysis language support is now GA.

Learn more

]]>
<![CDATA[Historical scanning is now in Beta for Secrets users!]]> https://semgrep.dev/products/product-updates/single/historical-secrets-scanning Users can now scan for valid secrets in their repo's git history! This functionality is off by default, so users will have to toggle it on in the settings menu or run semgrep ci with --historical-secrets.

A few things to note:

  • Historical scanning can be slow with large repos.

  • Findings from historical scans will not be automatically be marked as fixed. Currently these findings can only exist in two states: Open or Ignored.

Please don't hesitate to share any feedback with your account team!

]]>
<![CDATA[Improved Elixir support in Semgrep Code]]> https://semgrep.dev/products/product-updates/single/improved-elixir-support-in-semgrep-code A new set of rules for Elixir and the Phoenix framework have just been released, covering a broad range of security and correctness issues.

These rules can be found in the registry, and a subset of them (medium/high confidence rules) are available via the p/elixir ruleset for easy access.
To use them, users must be logged in and use the Pro engine via the --pro option!

Many thanks to Holden Oullette (maintainer of Sobelow) for helping us ship this update!

]]>
<![CDATA[Integration with Jira, Asana, and Linear]]> https://semgrep.dev/products/product-updates/single/integration-with-jira-asana-and-linear Use the Jira, Asana, or Linear integration to create tickets for Semgrep Code and Supply Chain findings easily.

]]>
<![CDATA[Interfile analysis support for C#]]> https://semgrep.dev/products/product-updates/single/interfile-analysis-support-for-c Users can now scan C# projects with Semgrep Code’s Pro Engine, leveraging advanced interfile analysis to uncover more complex vulnerabilities while reducing noise. 

]]>
<![CDATA[New insight into backlogs, developer engagement, and security posture]]> https://semgrep.dev/products/product-updates/single/new-insight-into-backlogs-developer-engagement-and-security-posture We’re excited to announce revamped reporting capabilities in Semgrep, which bring  increased levels of clarity to your production backlog, developer engagement levels, and overall security posture. Along with recently released views of secure guardrails adoption, these new capabilities give AppSec teams more visibility than ever before into the security metrics that matter for their teams.

Check out the docs or read the announcement blog post.

]]>
<![CDATA[New UI for Semgrep Supply Chain]]> https://semgrep.dev/products/product-updates/single/new-ssc-ui We've done a lot this quarter to streamline the Supply Chain UI! These changes greatly improve the ease of orchestration of our SCA solution and platform overall.

All three of our products are powered by the same core analysis engine, and as we continue to unify and consolidate things on the front-end it should be much easier for anyone familiar with other parts of the Semgrep AppSec Platform to quickly get their bearings with our best-in-breed supply chain tool.

The new interface brings many of the core SAST capabilities and workflows that our users love to Semgrep Supply Chain:

  • Group vulnerabilities by rule

  • Bulk triage of findings

  • More comprehensive filtering

  • One unified API for findings across Semgrep Code and Semgrep Supply Chain

]]>
<![CDATA[New triage reason workflows + filter by triage reason in platform]]> https://semgrep.dev/products/product-updates/single/new-triage-reason-workflows-filter-by-triage-reason-in-platform Developers are now able to specify triage reasons (false positive, acceptable risk, and other) in the PR comment flow, and AppSec teams can now filter findings based on these reasons in the Semgrep UI.

Developers will be able to access the following PR commands in Github, and all instructions will be clearly provided to developers as part of the PR comment:

  • /fp <comment> For triaging a finding to ignored with the triage reason "false positive"

  • /ar <comment> For triaging a finding to ignored with the reason "acceptable risk"

  • /other <comment> For triaging a finding to ignored without any specific reason "No triage reason"

    • Note: These are the same as the previous /semgrep ignore functionality

  • /open To re-open a finding

    • Note: This is the same as the previous /semgrep open functionality

  • /remember <comment> For adding Assistant memories.

    • Note: This is the same as the previous /semgrep remember functionality

Please note that all previous commands are still supported for backwards compatibility. For example: previous commands /semgrep ignore , /semgrep open , /semgrep remember will continue to be available, and developers may continue to use these commands.

Support is currently limited to Github, but is coming soon for Gitlab customers!

Triage reason

]]>
<![CDATA[ Improved rule templates and categories in the Playground/editor (rule-writing)]]> https://semgrep.dev/products/product-updates/single/playground-updates The playground/editor has some shiny new examples/templates that should make it much easier for users to get started with rule-writing. Here are the key changes:

  • Example/template rules are now categorized

  • Each example has an explanation of what patterns are being matched with links to relevant documentation

  • Example rules are more "real world" and better showcase the common use cases for rules

  • Customers with secrets enabled will now will see an additional property for HTTP validation (learn more about custom secrets rules)

    Playground updates

Happy rule-writing!

]]>
<![CDATA[Project-level RBAC is now in public-beta]]> https://semgrep.dev/products/product-updates/single/project-level-rbac Shipping RBAC that works at the repository level was a priority for us this year, and we’re excited to announce that project-level RBAC is now in public-beta!

For organizations with thousands of developers and repositories, the importance of role based access controls goes beyond compliance - security engineers only want to see findings for the repositories and microservices they are responsible for, and access controls that work at the project level make this possible.

For more information, read our documentation on the new teams view in our access controls menu (found under settings).

Project-level RBAC

]]>
<![CDATA[Filter by "project tag"]]> https://semgrep.dev/products/product-updates/single/project-tags-filter Semgrep now lets you filter by project tags. You can use this filter to only see issues associated with a subset of projects.

Note: we only list tags if they are associated with at least 1 project. If a tag is not showing up as an option, it’s most likely because it’s not yet linked to any particular project.

PS: there are more filtering capabilities on the horizon, so stay tuned!

]]>
<![CDATA[Python support for Semgrep Code]]> https://semgrep.dev/products/product-updates/single/python-support Semgrep Code now has cross-file support for Python! This includes 100+ Pro rules focusing on common web vulnerabilities, with coverage for Flask and several extensions like Flask-SQLAlchemy, Flask-WTForms, and more. Django and FastAPI coverage is coming soon!

The rules are in p/default and you should start to see new results in your next scan. If you'd like to see results on a local scan first, run $ semgrep login && semgrep ci --pro

Please don't hesitate to share any feedback you have on the results with your account team or one of our product managers!


]]>
<![CDATA[Rust GA support and Swift beta support]]> https://semgrep.dev/products/product-updates/single/rust-ga-support-and-swift-beta-support Semgrep Code’s support for Rust is now GA (Checkout our 70+ new Pro rules for Rust).
Semgrep Code’s support for Swift is now beta (Checkout our 50+ new Pro rules for Swift).

]]>
<![CDATA[SBOM export with CycloneDX]]> https://semgrep.dev/products/product-updates/single/sbom-export-with-cyclonedx SBOM export (in public beta) is now supported on any repository that Semgrep Supply Chain scans. Users can export SBOM in CycloneDX v1.4 standard in JSON or XML format.
Learn more

]]>
<![CDATA[SCA API updates]]> https://semgrep.dev/products/product-updates/single/sca-api-updates Semgrep Supply Chain public API release; users can list all their Supply Chain Vulnerabilities and list all their Dependencies in a raw list or with respect to their repositories and lockfiles.

]]>
<![CDATA[Scanning code for security issues using Semgrep's IntelliJ plugin]]> https://semgrep.dev/products/product-updates/single/scanning-code-for-security-issues-using-semgreps-intellij-plugin Use Semgrep’s plugin for IntelliJ products (AppCode, Aqua, CLion, DataSpell, DataGrip, GoLand, IntelliJ IDEA Ultimate, PhpStorm, PyCharm Professional, Rider, RubyMine, RustRover, WebStorm) to scan for Semgrep Code and Supply Chain vulnerabilities.

]]>
<![CDATA[Announcing Semgrep Assistant's GA launch]]> https://semgrep.dev/products/product-updates/single/semgrep-assistant-ga After a little over a year in open beta, Semgrep Assistant is now GA!

Semgrep Assistant is free for all customers, and uses AI to greatly speed up existing workflows across prioritization, triage, and remediation. New features include Assistant generated custom rules and Priority Inbox - to learn more about these capabilities read the blog post.

Semgrep Assistant is super easy to set up - just go into settings and turn it on (your developers will appreciate the additional context):

Assistant toggle in settings

]]>
<![CDATA[Semgrep Assistant support for GitLab and GitLab self-managed]]> https://semgrep.dev/products/product-updates/single/semgrep-assistant-support-for-gitlab-and-gitlab-self-managed Semgrep Assistant (Semgrep’s AI integration) now supports GitLab and GitLab self-managed. Check out the documentation.

]]>
<![CDATA[Semgrep Code Search is now available in public beta (for users with an active license) ]]> https://semgrep.dev/products/product-updates/single/semgrep-code-search-is-now-in-public-beta We're excited to announce the public beta of Semgrep Code Search! Code Search lets users can run a single rule across hundreds of code repositories in seconds, making vulnerability detection and rule iteration lightning-fast. Since Semgrep rules are already easy to understand and write, the instant feedback provided by Code Search gives users superpowers when it comes to rule evaluation, rule writing, and vulnerability hunting.

To learn more about how to use Code Search (or how it works on the back-end), read the announcement blog post!

Important Notes:

  • Semgrep Code Search is only currently available for repos hosted on Github.com

  • Semgrep Code Search is only available for current Code customers or users with an active trial license.

]]>
<![CDATA[Semgrep managed scanning now available in public beta]]> https://semgrep.dev/products/product-updates/single/semgrep-managed-scanning-now-available-in-public-beta You can now roll out Semgrep at ludicrous speed without any manual, per-repo CI/CD configuration. Whether you have one repo or thousands of repos, It Just Works.

Semgrep managed scanning lets you add Semgrep to your projects without the need to change existing CI/CD configurations, whether you have one, hundreds, or even tens of thousands of repositories.

Code scans are run on Semgrep AppSec Platform’s infrastructure instead of in your CI/CD infrastructure. So there is no need for you to spend CI minutes or coordinate with other teams to set up scanning.

Once enabled, Semgrep managed scanning automatically runs full scans weekly and on every PR. Semgrep findings presented as PR comments are still available, and determined according to your policy settings for monitor, comment, or blocking modes.

For more, check out the Semgrep managed scanning announcement blog post.

]]>
<![CDATA[Structure Mode is now available in the Playground]]> https://semgrep.dev/products/product-updates/single/structure-mode-is-now-available-in-the-playground-editor-rule-writing Structure Mode is a brand new way to write Semgrep rules that guides users via UI as opposed to requiring them to write YAML. Structure mode makes rule-writing easier for inexperienced rule-writers, but it also adds cool new features for seasoned rule-writers that should speed up their workflows as well.

Structure Mode replaces the now deprecated "Simple Mode", as it offers more robust functionality paired with an intuitive interface that's just as easy (if not easier) to understand than Simple Mode.

Structure mode gif 6

To learn more about Structure Mode, read our blog post which outlines all of the shiny new capabilities in detail.

]]>
<![CDATA[Swift support in Semgrep Code is now GA]]> https://semgrep.dev/products/product-updates/single/swift-ga We are excited to announce the General Availability of Swift support in Semgrep Code!

This means that Swift now meets the strict syntax and parse-rate requirements for GA status with our Pro Engine. This release includes 57 Pro rules covering a broad range of vulnerability classes - as usual, we'll continuously monitor and update them to ensure they meet our standards for accuracy and comprehensiveness.

Happy coding!

]]>
<![CDATA[Swift Support in Semgrep Supply Chain (lockfile-only)]]> https://semgrep.dev/products/product-updates/single/swift-support We're excited to announce that Semgrep Supply Chain now has lockfile-only support for Swift and the official Swift Package Manager!

Our future roadmap for the ecosystem includes reachability and the addition of CocoaPods as a supported package manager.

Users will need a Package.resolved in their repository for us to successfully parse all their dependencies. Official documentation on how users can generate one can be found here.

Swift Rules SSC

]]>
<![CDATA[Updated Jira integration with embedded remediation guidance ]]> https://semgrep.dev/products/product-updates/single/updated-jira-integration-just-made-workflows-a-whole-lot-easier Semgrep’s updated Jira integration brings AI-generated remediation guidance directly to developers in Jira tickets. Additionally, Semgrep scans can now automatically trigger ticket creation for high-priority issues, reducing manual workload for vulnerability tracking and triage.

Check out the docs or read the announcement blog post.

]]>
<![CDATA[View recommendations from Semgrep Assistant]]> https://semgrep.dev/products/product-updates/single/view-recommendations-from-semgrep-assistant The findings page, in group by rule view, now has an assistant recommendation filter. When you filter to recommended ignores, we now show Assistant's explanation inline. Pressing 'Agree' there will automatically ignore the finding.

Learn more

]]>
<![CDATA[Semgrep's VSCode extension (v1.6.2) can run natively on Windows]]> https://semgrep.dev/products/product-updates/single/vs-code-on-windows Semgrep's VSCode extension (v1.6.2+) can run natively on Windows. Semgrep Platform uses LSP.js as a way of supporting Semgrep on Windows.

Learn more

]]>