Products
- Semgrep Code
  Find and fix the issues that matter in your code (SAST)
- Semgrep Supply Chain
  Find and fix reachable dependency vulnerabilities (SCA)
- Semgrep Secrets
  Find and fix hardcoded secrets with semantic analysis
- Semgrep Assistant
  Get triage and code fix recommendations from AI
- Semgrep AppSec Platform
  Automate, manage, and enforce security across your organization
- Semgrep Pro Engine
  Find more true positives and fewer false positives with dataflow analysis
- Product Updates
  Stay up to date on changes to the Semgrep platform, big and small
Solutions
- Software supply chain security
  Mitigate software supply chain risks
- Static application security testing
  Increase security while accelerating development
- OWASP Top 10
  Prevent the most critical web application security risks
Resources
- Docs
  Want to read all the docs? Start here
- Blog
  Get the latest news about Semgrep
- ROI Calculator
  See how Semgrep can save you time and money
- Community Slack
  Join the friendly Slack group to ask questions or share feedback
- Events
  Join us at a Semgrep Event!
- Case Studies
  See why users love Semgrep
- Video Library
  View our library of on-demand webinars
Company
- About
  The Semgrep story & values
- Careers
  Join the team!
- Partners
  Become a Semgrep partner
Pricing
Sign in
Product support
Contact us
Book demo Try for free

What's New

Semgrep Spring ‘25 Release

Each quarter, we spotlight the latest Semgrep releases – from Code to Supply Chain and Secrets Detection – so you can ship secure code, faster and smarter.

Download Release Kit

What’s new this spring?

Our biggest update this spring is the public beta of Assistant Memories, which identifies 85% of false positives with no manual customization or tuning. With Assistant Memories, security engineers never have to triage the same issue twice, as Semgrep Assistant learns from prior triage decisions to eliminate contextual false positives.

We’ve also doubled down on enterprise-ready scanning to make it easier to secure large codebases. Semgrep Managed Scanning is now generally available across GitHub, GitLab, Bitbucket, and Azure DevOps – so teams can roll out scanning across every repo, team, and workflow. Plus, new support for scanning without lockfiles expands coverage even while lockfiles are missing.

Join our release webinar to check out what’s new →

Eliminate Noise

Cut false positives so your team can focus on fixing what’s real.

SEMGREP SUPPLY CHAIN

Transitive Reachability (Private Beta)
Semgrep now supports transitive reachability analysis for JavaScript projects (private beta). This extends analysis beyond direct dependencies to transitive dependencies. Semgrep flags vulnerabilities that are unreachable, helping teams reduce noise.

SEMGREP ASSISTANT

Assistant Memories (Public Beta)
With Assistant Memories, Semgrep Assistant now has the ability to learn from triage notes, developer feedback, and explicit instructions in human language to filter out even more false positives.

SEMGREP CODE

Cross-File Dataflow Traces (GA)
Visualize how data moves across multiple files with in-app trace snippets.

Put AppSec on Autopilot

Use AI to automatically enhance detection, triage, and remediation, at scale.

SEMGREP SUPPLY CHAIN

Supply Chain Policies
Enforce precise configuration of supply chain policies based on criteria such as reachability, severity, upgrade availability, transitivity, Exploit Prediction Scoring System (EPSS) scores, and more.

SEMGREP ASSISTANT

Suggested Memories (Public Beta)
Semgrep Assistant can now suggest Memories based on triage notes and developer feedback. Users can easily see how many findings are in scope for each suggested memory, and view the impact of turning them on.

Assistant for Bitbucket and Azure DevOps
Semgrep Assistant now supports Bitbucket and Azure DevOps (ADO), in addition to GitHub and GitLab. Developers using Bitbucket and ADO now receive remediation guidance, autofixes, and explanations natively in PR comments.

LLM Selection / BYO API Key
Semgrep Assistant now supports multiple LLM providers including OpenAI, AWS Bedrock, Google Gemini, and xAI. Users can also bring their own API key to leverage their own relationships with major model providers.

VIBE CODING

Semgrep MCP Server
The Semgrep MCP Server turns Semgrep into a built-in security reflex for LLMs — letting them scan and fix their own code as they generate it.

Operationalize and Scale

Roll out AppSec across every repo, team, and workflow. Grow your security program without friction.

SEMGREP APPSEC PLATFORM

Semgrep Managed Scanning (GA)
Semgrep Managed Scanning syncs, onboards, and scans all your repositories — automatically, saving you time from managing CI/CD pipelines. Whether you have a large codebase or complex monoliths, Managed Scanning will automatically scale to ensure complete scanning coverage across any repository in a timely manner.

Scan Without Lockfiles (Private Beta)
Now users can scan projects even when lockfiles are missing or difficult to generate — common in compiled languages such as Java, C#, and Kotlin.

Clickable Charts (Public Beta)
Revamped security dashboards that turn Semgrep scan data into interactive charts, trends, and reports tailored for developers, AppSec teams, and CISOs. Provides an overview of your organization's security posture.

SEMGREP SUPPLY CHAIN

SBOM Export API (GA)
Allows users to programmatically retrieve a Software Bill of Materials (SBOM) for their scanned projects using public, documented endpoints.

Maximize Coverage

Cover more languages, frameworks, threat types, and more – right out of the box.

SEMGREP CODE

Expanded JavaScript & TypeScript Analysis (GA)
Improved detection capabilities for JavaScript and Typescript, including engine-level dataflow analysis for 50+ frameworks and libraries, including Express, NestJS, React, and Angular.

Shadow AI Ruleset
A new ruleset that detects unauthorized use of AI or LLM libraries. This includes API calls, such as api.openapi.com, and libraries in code such as langchain and transformers.

SEMGREP SUPPLY CHAIN

Malicious Dependency Detection (Public Beta)
Malicious dependencies are dangerous packages, or dangerous versions of packages, that are designed to compromise systems. Now teams can identify and block known malicious packages – such as those involved in typosquatting or supply chain attacks.

PR Warnings for Malicious Packages
Semgrep will now comment directly on pull requests or merge requests warning users that they may be adding malicious dependencies.

SEMGREP SECRETS

Generic Secrets Detection (GA)
Combines rules and LLM-powered filtering to help detect generic secrets accurately.

SEMGREP CODE & SECRETS

Critical Severity Classification (GA)
The Critical severity level is now available in Semgrep Code and Semgrep Secrets to denote the highest severity for both Semgrep Code and Semgrep Secrets findings.

INTEGRATIONS

Wiz Integration (GA)
Semgrep integrates with Wiz by establishing a secure connection with Wiz’s API endpoints, enabling you to prioritize vulnerabilities by correlating SAST findings with real-time cloud infrastructure and runtime data.

Explore Additional Resources

Download the release kit

Get a detailed look at this quarter’s latest innovations.

Download Release Kit

Discover latest product updates

Stay informed about new features and enhancements.

Explore Now

Check out the release notes

Understand the full scope of changes in each release.

Explore Now

Learn AppSec with Academy

Learn to create secure software with us.

Enroll for free