What's New

Semgrep Autumn ‘25 Release

Each quarter, we spotlight the most impactful Semgrep releases across Code, Supply Chain, and Secrets Detection to help you cut noise, find real risks, and keep your code secure.

Watch the Webinar Recording Download the Release Kit

What’s new this autumn?

Do not miss the biggest Autumn releases. AI powered detection for business logic flaws and IDOR is now in closed beta, combining static analysis with AI to find hard-to-catch issues. Semgrep Managed Scanning is GA with automated repo discovery and scanning. Native Windows support is GA for CLI and IDEs. Supply Chain adds malicious dependency detection and expanded historical reachability. The Semgrep MCP Server brings Supply Chain signals into AI coding tools. Get a look at what is coming next and learn how to apply these updates today.

Plus, get a first look at what's coming. Whether you’re a longtime user or brand new to Semgrep, you’ll learn how to cut false positives, put AppSec on autopilot, scale security across every repo and team, and maximize coverage – right out of the box.

Watch the webinar here

Imagine Zero False Positive AppSec

Surface priority findings and quiet the false positives.

SEMGREP CODE

BNGD (Private Beta)

"Big Number Go Down" surfaces priority findings by default and moves likely false positives and unreachable issues to a provisional ignored state. The backlog shrinks to a smaller, reviewable set without hiding new matches or changing rule logic. A funnel visualization shows total detected, non spam, and priority findings so reviewers can track the impact of tuning over time.

Items in provisional ignored are searchable and reversible so teams can restore them at any time during audits.

Interfile analysis for Scala (Public Beta)

Interfile analysis tracks data and control flow across files in Scala, including static and dynamic dispatch through traits and common web frameworks like Play. The engine builds cross file traces without compiling the project, which shortens feedback cycles in CI and during local testing. Findings include clear source to sink traces with intermediate calls so reviewers can validate the full path and reproduce issues quickly.

Put AppSec on Autopilot

Detect business logic flaws with AI and surface supply chain risk where developers code.

SECURE VIBE CODING

AI powered detection for business logic flaws and IDOR (Private Beta)

Combines static analysis with AI to detect business logic issues and IDOR, alongside classes like SQL injection, XSS, and SSRF.

Supply Chain in Semgrep MCP (Public Beta)

Shows dependency vulnerability risk inside AI coding tools like Cursor. Helps developers avoid known vulnerable packages during development.

Displays package and version risk with CVE severity and reachability context in-line and links back to Semgrep for details and upgrade guidance.

Operationalize and Scale

Automate org-wide scanning and make Windows a first-class option.

SEMGREP APPSEC PLATFORM

Semgrep Managed Scanning (GA)

Semgrep Managed Scanning automatically discovers, syncs, and scans repositories without CI configuration. It runs on a managed scheduler that handles retries and audit logs, keeping coverage stable as repos and teams change. Designed for large monoliths and complex estates, it sustains more than 1 million weekly scans while preserving per-repo controls and ownership.

Native Windows support for CLI and IDEs (GA)

Run Semgrep on Windows without WSL or Docker. Install with pip and use from CLI and IDEs like VS Code, IntelliJ, and Cursor. Example: pip install semgrep && semgrep login && semgrep ci.

Maximize Coverage

Block malicious packages and focus on exploitable dependency paths.

SEMGREP SUPPLY CHAIN

Malicious dependency detection (GA)

Detects known malicious packages across npm, PyPI, RubyGems, Maven, Go, and NuGet using more than 30,000 advisories and rules as of GA. Flags typosquatting, dependency confusion, hijacked packages, and compromised maintainers. Findings are critical severity and always reachable.

Expanded historical reachability rules

Expands reachability coverage for high and critical CVEs back to 2017 across JavaScript, Go, C#, Swift, and Ruby to focus reviews on exploitable dependency paths. Rules analyze imports and call graphs to confirm function-level usage and prioritize what is actually used in your code.

Explore Previous Releases

Spring '25

Our biggest update this spring is the public beta of Assistant Memories, which identifies 85% of false positives with no manual customization or tuning. With Assistant Memories, security engineers never have to triage the same issue twice, as Semgrep Assistant learns from prior triage decisions to eliminate contextual false positives.

Explore Now

Summer '25

Our product experts will walk you through key highlights you won't want to miss, including the Assistant Memories GA, the industry's first reachability analysis for PHP, and other powerful features across the Semgrep platform.

Explore Now

Autumn '25

AI powered detection for business logic flaws and IDOR is now in closed beta, combining static analysis with AI to find hard-to-catch issues. Semgrep Managed Scanning is GA with automated repo discovery and scanning. Native Windows support is GA for CLI and IDEs. Supply Chain adds malicious dependency detection and expanded historical reachability. The Semgrep MCP Server brings Supply Chain signals into AI coding tools.

Watch the Webinar Now

Explore Additional Resources

Register for webinar

Get a detailed look at this quarter’s latest innovations.

Watch the Recording

Discover latest product updates

Stay informed about new features and enhancements.

Explore Now

Check out the release notes

Understand the full scope of changes in each release.

Explore Now

Learn AppSec with Academy

Learn to create secure software with us.

Enroll for Free