March 2025
ยท 5 min read
The following updates were made to Semgrep in March 2025.
๐ Semgrep AppSec Platformโ
Addedโ
- Added the capability to delete projects through the Semgrep API. Deleting a project also deletes all of its findings. Refer to the API documentation.
- You can now view the
cwe_namesandowasp_namesfor findings fetched through the Semgrep API. See the API documentation. - Added
external_discussion_idandexternal_note_idto findings returned by the Semgrep API. Use these fields to build links, put together dashboards, or other functionalities. - Various performance enhancements around full scans performed by Semgrep Managed Scans.
- Teams: Members are able to view the Project details page. This enables them to view the scan logs for diff-aware scans.
- Added a warning notification when you disable all rules. Disabling all rules means no findings will be detected in subsequent scans.
- Added a tooltip explaining the reason for why checkboxes for certain findings cannot be selected. Typically this is because the finding has been fixed.
- Added a Use Network Broker toggle within the webhook integration dialog. This enables you to control access to the network broker on a per-webhook basis.
- Dataflow traces now provide cross-file code snippets, centralizing context from several files into the dataflow graph.
- The Finding details page now has a new triage button with options to ignore, fix, and reopen findings.
- Added
llms.txt. - Added an integration with Wiz that enables you to view Semgrep Code findings in Wiz's Security Graph.
- Added the ability to define the files and folders Semgrep ignores during scans at the organization level.
Changedโ
- When findings are specifically ignored through a
nosemgrepcomment, Semgrep now informs the user why. Previously, there was no context provided when ignoring through a comment. - Improved pagination performance.
- Improved performance when fetching data for large teams.
๐ป Semgrep Codeโ
- Updates in Semgrep AppSec Platform regarding findings and rules also apply to Semgrep Code.
โ๏ธ Semgrep Supply Chainโ
Addedโ
- Added the ability to use transitivity and EPSS score as conditions when creating block and comment policies for Supply Chain.
- Added dependency path support for the following Python package managers:
pip,pip-tools, andpipenv. - Added the ability to download SBOM exports using the Semgrep API.
Fixedโ
- Improved how Semgrep handles policies when projects or tags associated with the policy have been deleted. Semgrep now displays a warning when all projects or tags associated with a policy have been deleted:
๐ค Semgrep Assistantโ
Addedโ
- Auto-memories: If you triage a finding as Ignored and provide an explanation of why you change the finding's status to Ignored, Assistant automatically determines if it should create a memory for you. Assistant uses memories to tailor its remediation guidance for your projects.
- Added the ability to select multiple AI providers.
๐ Semgrep Secretsโ
Fixedโ
- Fixed the JSON produced by the
--gitlab-secretsflag so that it is parsed correctly by GitLab.
๐ Documentation and knowledge baseโ
Addedโ
- Added new documents, articles and sections on the following topics:
- Global path ignores: Applying path ignores to all projects in an organization
- Minor additions include:
- Semgrep Assistant features permitted based on roles
- Semgrep Managed Scans: Bitbucket support
- Added CVE-2025-29783 to trophy case.
Changedโ
- The Supported languages > Semgrep Supply Chain section has been reorganized for clarity. Product features and supported package managers have been separated into discrete tables.
- Expanded on PR comments in Semgrep Secrets, particularly validation state policies.
- Documentation about Semgrep Supply Chain's ignore behavior has been updated.
- Clarified various procedures regarding:
- How to remove a Slack integration
- How triage behaves across different refs or branches
- Various redirects have been updated.
Fixedโ
- Various section links have been fixed.
- Minor acronym and product terminology fixes.