> ## Documentation Index
> Fetch the complete documentation index at: https://docs.semgrep.dev/llms.txt
> Use this file to discover all available pages before exploring further.

# April 2026

> May 12, 2026 · 8 min read

The following updates were made to Semgrep in April 2026.

## 🌐 Semgrep AppSec Platform

### Added

* Added a prompt for users to log in with their corporate SSO credentials instead of their GitHub or GitLab credentials when their organization has corporate SSO configured.
* Added workflow execution usage information to the [AI credits dashboard](https://semgrep.dev/orgs/-/settings/usage) so users can see workflow runs alongside scans, triage actions, and fixes.
* Added the ability to download contributor usage information from **Settings > Usage & Billing**.
* Added AI-powered detection findings to the findings API endpoint (`GET /api/v1/deployments/{slug}/findings`).
* Added Jira ticketing support for AI-powered detection findings.
* Added the ability to manually run full scans for the non-default or non-primary branches using Semgrep Managed Scans.
* Added the ability to retry Semgrep Managed Scans that failed or didn't complete.
* **Semgrep Guardian**: added support for a Supply Chain hook.

### Changed

* The interfile analysis engine has been redesigned to improve performance. These improvements change how findings are generated, which might result in additional true positives and fewer false positives.
* Contributor seat limit alerts now explain that scans continue as a courtesy when an organization exceeds its seat limit, replacing the previous inaccurate "scans will be paused" text.
* Removed the **Fixed in** time filter option from all **Findings** pages.
* The **Projects** list now includes Semgrep Managed Scans that are pending or have never started scanning.
* [Semgrep Playground](https://semgrep.dev/playground/new) is now mobile-friendly.

### Fixed

* Fixed an issue where invalid configurations caused the **Integrations** page to not load. Semgrep now displays a meaningful error and allows users to edit or delete the configuration.
* Fixed an issue where Semgrep did not save changes when Gradle or Maven registry integration credentials were updated.
* Fixed an issue where the **Settings > Usage** panel incorrectly showed a subset of seats when a deployment had multiple active licenses for the same product instead of the correct combined total.
* Fixed an issue where the **Remove user from organization** button was available to **Managers**, allowing them to remove Admin users.
* Fixed an issue where read-only users could upload CLI scan results and overwrite findings by setting `SEMGREP_REPO_DISPLAY_NAME`. CLI scan endpoints now enforce scan permissions.
* Fixed an issue where CSV findings exports failed with `IndexError: list index out of range` for some users when a paginated batch returned an empty list.
* Fixed the `repos` filter on the findings and issues API endpoints to use case-insensitive matching.
* Fixed an issue where the **provisionally ignored** filter for the public findings API endpoints returned all findings.
* Fixed an issue where the Jira integration failed to load for deployments that saved their Jira configuration before support for AI-detection findings was added.
* Fixed an issue with the SARIF trace output for taint mode so that it now uses the correct file URI and includes the sink call trace in `codeFlows`.
* **IDE**: fixed an issue where network errors occurring during token verification resulted in saved tokens being cleared.
* Minor UI fixes.

## 💻 Semgrep Code

### Added

* The **finding details** page now displays the reason why a finding was ignored at the top. Users no longer need to go to the **Activity** section to see this information.
* Added the findings count and a link to view findings to the AI-powered detection scan progress timeline.
* Added AI-powered detection findings to the Findings CSV export file.
* Improved support for variadic functions in taint-tracking mode.
* **Scala**: added `tree-sitter` parser to improve parsing accuracy.

### Fixed

* Fixed an issue where the AI-powered detection scan time estimate was overinflated.
* Fixed an issue where Autofix wasn't able to create a GitHub pull request due to the Semgrep GitHub app requesting insufficient permissions.
* Fixed an issue where Autofix features were unavailable to organization **members**, as well as **admins**.
* Fixed an issue where Autofix displayed a suggested fix for Supply Chain findings. Autofix is only applicable to Code findings.
* Fixed an issue where Autofix errored out when attempting to open pull requests for Azure DevOps repositories. Semgrep now rejects these requests since Azure DevOps isn't supported.
* Fixed an issue where Autofix errored out when handling requests involving archived repositories. Semgrep now rejects these requests and displays an error message accordingly.
* Fixed an issue where some GitHub Enterprise users stopped seeing Autofix pull requests.
* Fixed an issue where provisionally ignored findings couldn't be triaged without a comment provided.
* Fixed Autofix pull request descriptions so that they properly display the user's GitHub username.
* Fixed an issue with GitHub App permission checks, which had been using app manifest permissions, or what the app declares, instead of installation-level permissions, or what was actually granted, causing the **Autofix** button to be incorrectly hidden or shown.
* Fixed performance issues during the parsing of Semgrep rules containing non-BMP Unicode characters
* **Scala**:
  * Fixed an issue with trait parameters in versions 3.4.x and later so that they are now parsed correctly.
  * Fixed an issue where Semgrep failed silently instead of returning an error when target file discovery fails.

## ⛓️ Semgrep Supply Chain

### Added

* Added reachability coverage for Rust.
* Supply Chain advisories now have dedicated detail pages, replacing the previously used drawers.
* Added dependency path information to the SBOM exports and the Issues API endpoint.

### Fixed

* Fixed an issue with legacy Supply Chain findings URLs that resulted in the findings page showing zero results.
* Fixed the **Dependencies** filter on the **Findings** page so that exact matches rank above all other matches.
* Fixed the advisory ID search so that it is case-insensitive.
* Fixed an issue where the Autofix API endpoints accepted pull requests for issues that were already fixed, removed, or ignored.

## 🤖 Semgrep Multimodal

### Added

* Added IAM role-assumption authentication mode for Amazon Bedrock BYOK. In addition to static access keys, users can now configure an IAM role ARN and grant Semgrep cross-account access using the generated external ID.

### Changed

* Findings of **critical** or **high** severity with **high** or **medium confidence** identified during diff-aware scans are now included in autotriage analysis.
* The memory creation dialog now prompts users to create specific, named memories, such as "`ConfigService` is an internal backend service" rather than generic, conditional memories.

### Fixed

* Fixed an issue with pull request comment URL construction for tag-scoped and deployment-wide memories that previously resulted in no pull request comments being posted.

## 🔧 Semgrep Community Edition

* The following versions of Semgrep Community Edition were released in April 2026:

<CardGroup>
  <Card title="1.161.0" icon="code-branch" href="https://github.com/semgrep/semgrep/releases/tag/v1.161.0" horizontal />

  <Card title="1.160.0" icon="code-branch" href="https://github.com/semgrep/semgrep/releases/tag/v1.160.0" horizontal />

  <Card title="1.159.0" icon="code-branch" href="https://github.com/semgrep/semgrep/releases/tag/v1.159.0" horizontal />

  <Card title="1.158.0" icon="code-branch" href="https://github.com/semgrep/semgrep/releases/tag/v1.158.0" horizontal />

  <Card title="1.157.0" icon="code-branch" href="https://github.com/semgrep/semgrep/releases/tag/v1.157.0" horizontal />
</CardGroup>
