Semgrep Product Updates

Users can now select findings and use the "Analyze" button to run all Semgrep Assistant functions (autofix, autotriage, and component tagging) on the selected findings. Once the analysis is completed, users will see results if they:

filter by Fix/Ignore

filter by AI Component Tags

If they select "No Grouping" instead of "Group by Rule" they will see false positive or true positive recommendations directly in their findings.

Learn more

Semgrep Assistant (Semgrep’s AI integration) can now categorize and tag findings based on the component they are found in. Users can use these tags to prioritize findings (only show findings related to user authentication, PII, etc.).

Learn more

Learn more

Semgrep's VSCode extension (v1.6.2+) can run natively on Windows. Semgrep Platform uses LSP.js as a way of supporting Semgrep on Windows.

Learn more

Go, Java, Javascript, and Typescript’s interfile analysis support is now GA. All cross-functional analysis language support is now GA.

Learn more

Users can now scan C# projects with Semgrep Code’s Pro Engine, leveraging advanced interfile analysis to uncover more complex vulnerabilities while reducing noise. 

SBOM export (in public beta) is now supported on any repository that Semgrep Supply Chain scans. Users can export SBOM in CycloneDX v1.4 standard in JSON or XML format.
Learn more

Semgrep Supply Chain public API release; users can list all their Supply Chain Vulnerabilities and list all their Dependencies in a raw list or with respect to their repositories and lockfiles.

Semgrep Supply Chain can now find reachable vulnerabilities in C# dependencies. Along with C#, we also added lockfile-only support for PHP. Semgrep Supply Chain now supports C#, Go, Java, JavaScript, PHP, Python, Rust, and Ruby.

Use Semgrep’s plugin for IntelliJ products (AppCode, Aqua, CLion, DataSpell, DataGrip, GoLand, IntelliJ IDEA Ultimate, PhpStorm, PyCharm Professional, Rider, RubyMine, RustRover, WebStorm) to scan for Semgrep Code and Supply Chain vulnerabilities.