Hello from Semgrep! It’s launch week, and we’re excited to share new features these next few days across the entire Semgrep suite, with two announcements to start:
Semgrep Supply Chain is now free for all to use, up to a 10-contributor limit.
Semgrep is even faster; set up GitHub.com scanning in a minute, scan on every keystroke in the Semgrep Playground and VS Code.
Read on for the details and try the features yourself. We’re thrilled to work with you to profoundly improve software security and reliability!
Semgrep Supply Chain for all
Starting today, Semgrep Supply Chain is available to everyone for free, up to 10 monthly contributors (see FAQ). Semgrep Supply Chain scans your dependencies and helps you get rid of the 98% false positives that aren’t reachable within your code (i.e., places that don’t use both a vulnerable dependency and its vulnerable functions). This saves substantial time and was previously exclusively available to paying Team tier customers. All new users now run Supply Chain by default. Existing users need to toggle on Supply Chain in Settings.
Sign up now and give it a try!
Semgrep Code’s Pro features for all
We’re also making Semgrep Code’s Team tier features available for free for teams of up to 10 monthly contributors (see FAQ). This includes advanced code scanning that looks across file and function boundaries to find vulnerabilities via the Pro Engine and high-confidence Pro rules written by our Security Research team. We believe these features are critical to running a modern security program. Toggle on the Pro Engine now in Settings →
To make Supply Chain and Code’s Pro features available to everyone, we are upgrading all accounts to the Team tier and sunsetting the Community tier in favor of simplicity. We felt it was counterproductive to divide features across tiers or withhold functionality, and we wanted every user to experience Semgrep’s full value from the outset. Then, to align pricing with our Startup Program for small teams, and because we are providing more products and functionality for free, we're also reducing our contributor limit to 10 (from 20).
To our existing Team tier users who are under the revised usage limit but have already paid, we will reach out to adjust billing. If you're over the new limit, you'll have until July 31st, 2023, to adjust usage and/or purchase additional seats. We want to ensure a smooth transition for everyone; you can email us with questions or needs at [email protected], or read the docs on pricing and billing or usage limits.
Zero-config Scanning on GitHub.com
We’re launching a private beta of config-less scanning for GitHub.com users to make setting up Semgrep scans faster. Bid goodbye, should you choose, to adding CI/CD configuration files to repositories in order to onboard Semgrep. Zero-config Scanning allows for a direct, hassle-free connection between Semgrep and your GitHub.com organization, with scans being run on Semgrep’s infrastructure. Sign-up for the Zero-config Scanning private beta→
Turbo-charged Semgrep Playground
Semgrep now runs on every keystroke in the Semgrep Playground, returning instant results (i.e., it’s fast). We compiled the OSS Engine to JavaScript and WebAssembly to run in-browser. This means we no longer need a 'Run' button - we simply scan after every keystroke. We believe that speed is a feature, and the previous write-click-run feedback loop interrupted concentration while developing. It’s also just cool! Try Turbo Mode in the Playground now.
Expanded language support: Go Pro, Kotlin OSS
We’ve expanded our language support for Semgrep Code: Semgrep Pro Engine now supports Go, and Semgrep OSS Engine’s Kotlin support is now generally available! We have also added over 100+ new Pro rules across both languages. Over the past few months, we’ve seen Go and Kotlin grow rapidly in popularity within our security and developer community. Adding support for these languages means developers and security teams can find and fix more complex vulnerabilities. Add a project to see new findings for Go and Kotlin →
Enhanced policy management
Opt-in to the Policies beta for Semgrep Code for faster configuration. The new Policies UI makes it simple to configure which Semgrep rules run and their mode (Monitor, Comment, Block), improving upon the old Rule Board by introducing filtering, search, and bulk-actions. You can now use Severity and Confidence data to make decisions, then make bulk changes, and soon will be able to configure different policies for groups of projects. Try the new Policies workflow →
Upcoming features
Coming tomorrow to Semgrep Supply Chain are two highly requested features: Dependency Search and License Compliance. Dependency Search enables you to search your dependencies, their associated versions, and what projects import them all from the Semgrep Cloud Platform UI. License Compliance shows your dependency licenses within the Cloud Platform UI and enables you to define an allow/deny list of the software licenses permitted for use within your projects. Both combine to make due diligence and incident response faster for busy security teams.
On Thursday, we’re launching the official Semgrep VS Code Extension! You’ll be able to run Semgrep Code and Supply Chain on every save for instant developer feedback, saving you time waiting for CI/CD results.
Conclusion
Join us for our launch webinar and recap on June 14th! We’re ecstatic to share what we’ve been working on these past few months and want your feedback. We hope these enhancements, features, and experiments make a meaningful difference in your security journey. Onward and upwards!
Luke O’Malley
Co-Founder, Chief Product Officer
About
Semgrep lets security teams partner with developers and shift left organically, without introducing friction. Semgrep gives security teams confidence that they are only surfacing true, actionable issues to developers, and makes it easy for developers to fix these issues in their existing environments.