Semgrep Product Updates

You can now roll out Semgrep at ludicrous speed without any manual, per-repo CI/CD configuration. Whether you have one repo or thousands of repos, It Just Works.

Semgrep managed scanning lets you add Semgrep to your projects without the need to change existing CI/CD configurations, whether you have one, hundreds, or even tens of thousands of repositories.

Code scans are run on Semgrep AppSec Platform’s infrastructure instead of in your CI/CD infrastructure. So there is no need for you to spend CI minutes or coordinate with other teams to set up scanning.

Once enabled, Semgrep managed scanning automatically runs full scans weekly and on every PR. Semgrep findings presented as PR comments are still available, and determined according to your policy settings for monitor, comment, or blocking modes.

For more, check out the Semgrep managed scanning announcement blog post.

We've done a lot this quarter to streamline the Supply Chain UI! These changes greatly improve the ease of orchestration of our SCA solution and platform overall.

All three of our products are powered by the same core analysis engine, and as we continue to unify and consolidate things on the front-end it should be much easier for anyone familiar with other parts of the Semgrep AppSec Platform to quickly get their bearings with our best-in-breed supply chain tool.

The new interface brings many of the core SAST capabilities and workflows that our users love to Semgrep Supply Chain:

• Group vulnerabilities by rule

• Bulk triage of findings

• More comprehensive filtering

• One unified API for findings across Semgrep Code and Semgrep Supply Chain

Shipping RBAC that works at the repository level was a priority for us this year, and we’re excited to announce that project-level RBAC is now in public-beta!

For organizations with thousands of developers and repositories, the importance of role based access controls goes beyond compliance - security engineers only want to see findings for the repositories and microservices they are responsible for, and access controls that work at the project level make this possible.

For more information, read our documentation on the new teams view in our access controls menu (found under settings).

The playground/editor has some shiny new examples/templates that should make it much easier for users to get started with rule-writing. Here are the key changes:

• Example/template rules are now categorized

• Each example has an explanation of what patterns are being matched with links to relevant documentation

• Example rules are more "real world" and better showcase the common use cases for rules

• Customers with secrets enabled will now will see an additional property for HTTP validation (learn more about custom secrets rules)

  

Happy rule-writing!

We're excited to announce that Semgrep Supply Chain now has lockfile-only support for Swift and the official Swift Package Manager!

Our future roadmap for the ecosystem includes reachability and the addition of CocoaPods as a supported package manager.

Users will need a Package.resolved in their repository for us to successfully parse all their dependencies. Official documentation on how users can generate one can be found here.

Semgrep's VSCode extension (v1.6.2+) can run natively on Windows. Semgrep Platform uses LSP.js as a way of supporting Semgrep on Windows.

Learn more

SBOM export (in public beta) is now supported on any repository that Semgrep Supply Chain scans. Users can export SBOM in CycloneDX v1.4 standard in JSON or XML format.
Learn more

Semgrep Supply Chain public API release; users can list all their Supply Chain Vulnerabilities and list all their Dependencies in a raw list or with respect to their repositories and lockfiles.

Semgrep Supply Chain can now find reachable vulnerabilities in C# dependencies. Along with C#, we also added lockfile-only support for PHP. Semgrep Supply Chain now supports C#, Go, Java, JavaScript, PHP, Python, Rust, and Ruby.

Use Semgrep’s plugin for IntelliJ products (AppCode, Aqua, CLion, DataSpell, DataGrip, GoLand, IntelliJ IDEA Ultimate, PhpStorm, PyCharm Professional, Rider, RubyMine, RustRover, WebStorm) to scan for Semgrep Code and Supply Chain vulnerabilities.