Semgrep Product Updates

You can now roll out Semgrep at ludicrous speed without any manual, per-repo CI/CD configuration. Whether you have one repo or thousands of repos, It Just Works.

Semgrep managed scanning lets you add Semgrep to your projects without the need to change existing CI/CD configurations, whether you have one, hundreds, or even tens of thousands of repositories.

Code scans are run on Semgrep AppSec Platform’s infrastructure instead of in your CI/CD infrastructure. So there is no need for you to spend CI minutes or coordinate with other teams to set up scanning.

Once enabled, Semgrep managed scanning automatically runs full scans weekly and on every PR. Semgrep findings presented as PR comments are still available, and determined according to your policy settings for monitor, comment, or blocking modes.

For more, check out the Semgrep managed scanning announcement blog post.

Shipping RBAC that works at the repository level was a priority for us this year, and we’re excited to announce that project-level RBAC is now in public-beta!

For organizations with thousands of developers and repositories, the importance of role based access controls goes beyond compliance - security engineers only want to see findings for the repositories and microservices they are responsible for, and access controls that work at the project level make this possible.

For more information, read our documentation on the new teams view in our access controls menu (found under settings).

We're excited to announce the public beta of Semgrep Code Search! Code Search lets users can run a single rule across hundreds of code repositories in seconds, making vulnerability detection and rule iteration lightning-fast. Since Semgrep rules are already easy to understand and write, the instant feedback provided by Code Search gives users superpowers when it comes to rule evaluation, rule writing, and vulnerability hunting.

To learn more about how to use Code Search (or how it works on the back-end), read the announcement blog post!

Important Notes:

• Semgrep Code Search is only currently available for repos hosted on Github.com

• Semgrep Code Search is only available for current Code customers or users with an active trial license.

Structure Mode is a brand new way to write Semgrep rules that guides users via UI as opposed to requiring them to write YAML. Structure mode makes rule-writing easier for inexperienced rule-writers, but it also adds cool new features for seasoned rule-writers that should speed up their workflows as well.

Structure Mode replaces the now deprecated "Simple Mode", as it offers more robust functionality paired with an intuitive interface that's just as easy (if not easier) to understand than Simple Mode.

To learn more about Structure Mode, read our blog post which outlines all of the shiny new capabilities in detail.

The playground/editor has some shiny new examples/templates that should make it much easier for users to get started with rule-writing. Here are the key changes:

• Example/template rules are now categorized

• Each example has an explanation of what patterns are being matched with links to relevant documentation

• Example rules are more "real world" and better showcase the common use cases for rules

• Customers with secrets enabled will now will see an additional property for HTTP validation (learn more about custom secrets rules)

  

Happy rule-writing!

We're happy to announce that all Semgrep Code scans will now use Pro Engine (cross-function analysis + Pro-only languages).

This improved analysis and coverage comes with no performance/speed cost, which is why we're making it the default scan type! You may notice new findings after your next scan due to the increased scope of analysis.

Since all scans now run with cross-function analysis, the "Pro Engine" toggle in settings is now a toggle for cross-file analysis (which is still optional due to the potential impact on scan speeds):

We are excited to announce the General Availability of Swift support in Semgrep Code!

This means that Swift now meets the strict syntax and parse-rate requirements for GA status with our Pro Engine. This release includes 57 Pro rules covering a broad range of vulnerability classes - as usual, we'll continuously monitor and update them to ensure they meet our standards for accuracy and comprehensiveness.

Happy coding!

A new set of rules for Elixir and the Phoenix framework have just been released, covering a broad range of security and correctness issues.

These rules can be found in the registry, and a subset of them (medium/high confidence rules) are available via the p/elixir ruleset for easy access.
To use them, users must be logged in and use the Pro engine via the --pro option!

Many thanks to Holden Oullette (maintainer of Sobelow) for helping us ship this update!

Semgrep Code now has cross-file support for Python! This includes 100+ Pro rules focusing on common web vulnerabilities, with coverage for Flask and several extensions like Flask-SQLAlchemy, Flask-WTForms, and more. Django and FastAPI coverage is coming soon!

The rules are in p/default and you should start to see new results in your next scan. If you'd like to see results on a local scan first, run $ semgrep login && semgrep ci --pro

Please don't hesitate to share any feedback you have on the results with your account team or one of our product managers!

We’re extremely excited to launch GA support for C and C++ in Semgrep Code! Our Pro Engine scans C/C++ projects in minutes, and doesn't require a build or compile step. To see all of the new Pro rules for C/C++, check out the registry.

Note that no changes have been made to C/C++ support in Semgrep OSS - the languages will stay experimental due to constraints with OSS engine capabilities.

If you have any questions regarding coverage or performance in comparison to other SAST solutions that scan C/C++, please reach out to your account team!