Semgrep Product Updates

You can now roll out Semgrep at ludicrous speed without any manual, per-repo CI/CD configuration. Whether you have one repo or thousands of repos, It Just Works.

Semgrep managed scanning lets you add Semgrep to your projects without the need to change existing CI/CD configurations, whether you have one, hundreds, or even tens of thousands of repositories.

Code scans are run on Semgrep AppSec Platform’s infrastructure instead of in your CI/CD infrastructure. So there is no need for you to spend CI minutes or coordinate with other teams to set up scanning.

Once enabled, Semgrep managed scanning automatically runs full scans weekly and on every PR. Semgrep findings presented as PR comments are still available, and determined according to your policy settings for monitor, comment, or blocking modes.

For more, check out the Semgrep managed scanning announcement blog post.

Shipping RBAC that works at the repository level was a priority for us this year, and we’re excited to announce that project-level RBAC is now in public-beta!

For organizations with thousands of developers and repositories, the importance of role based access controls goes beyond compliance - security engineers only want to see findings for the repositories and microservices they are responsible for, and access controls that work at the project level make this possible.

For more information, read our documentation on the new teams view in our access controls menu (found under settings).

Structure Mode is a brand new way to write Semgrep rules that guides users via UI as opposed to requiring them to write YAML. Structure mode makes rule-writing easier for inexperienced rule-writers, but it also adds cool new features for seasoned rule-writers that should speed up their workflows as well.

Structure Mode replaces the now deprecated "Simple Mode", as it offers more robust functionality paired with an intuitive interface that's just as easy (if not easier) to understand than Simple Mode.

To learn more about Structure Mode, read our blog post which outlines all of the shiny new capabilities in detail.

The playground/editor has some shiny new examples/templates that should make it much easier for users to get started with rule-writing. Here are the key changes:

• Example/template rules are now categorized

• Each example has an explanation of what patterns are being matched with links to relevant documentation

• Example rules are more "real world" and better showcase the common use cases for rules

• Customers with secrets enabled will now will see an additional property for HTTP validation (learn more about custom secrets rules)

  

Happy rule-writing!

Customers can now write their own rules for Semgrep Secrets! These rules can detect and validate secrets associated with internal services, services with custom subdomains, or services not yet supported by Semgrep.

To learn more, read the announcement post where we go through an example of how easy it is to write a custom secrets rule and add it to a Semgrep policy.

Note that Semgrep Secrets supports validation out-of-the-box and comes with validator rules for many common services - this update allows users to write their own custom validator rules for internal services, services with custom subdomains, etc.

Users can now scan for valid secrets in their repo's git history! This functionality is off by default, so users will have to toggle it on in the settings menu or run semgrep ci with --historical-secrets.

A few things to note:

• Historical scanning can be slow with large repos.

• Findings from historical scans will not be automatically be marked as fixed. Currently these findings can only exist in two states: Open or Ignored.

Please don't hesitate to share any feedback with your account team!

Use the Jira, Asana, or Linear integration to create tickets for Semgrep Code and Supply Chain findings easily.