The following updates were made to Semgrep in August 2025.Documentation Index
Fetch the complete documentation index at: https://docs.semgrep.dev/llms.txt
Use this file to discover all available pages before exploring further.
🌐 Semgrep AppSec Platform
Changed
- Jira:
- The labels
Malicious DependencyandNon-malicious Vulnerabilityhave been changed toMalicious DependencyandNot Malicious, respectively. - Jira tickets created for malicious dependency findings now include more prominent visuals, such as bolded rule messages, to help them stand out from other reachable findings.
- The maximum number of findings associated with a specific Jira ticket has increased from 50 to 75.
- The labels
- You can now connect to your GitHub repositories without needing to contact Semgrep Support, even if you don’t use GitHub as your SSO provider with Semgrep.
- You can now view a project’s details page while the scan is still in progress.
Fixed
- Semgrep now maintains connectivity to repositories that you move from one GitHub organization to another.
- Bitbucket pull request comments from Semgrep now display with correct formatting.
💻 Semgrep Code
Added
- Added support for interfile analysis for Scala projects.
- Added a timeout to Semgrep’s internal HTTP requests to prevent remote endpoints from indefinitely hanging the Semgrep engine.
- Improved pre-filtering for interfile rules enables the Semgrep engine to detect and skip unnecessary interfile rules earlier in the scan process.
- When a segmentation fault is encountered, Semgrep now displays backtraces with function names, filenames, and line numbers when available.
- PHP:
- When enabling the option
taint_assume_safe_booleans, the return values ofboolval,is_bool, and||are considered safe. - When enabling
taint_assume_safe_numbers, the return values ofintval,floatval,+,-,*,/, and%are considered safe.
- When enabling the option
Changed
- Semgrep scans no longer attempt to parse
tsconfigfiles for non-TypeScript scans. - CLI: the
--jsonoutput of Semgrep’s CLI now includes atimefield ortimeobject with profiling data.
Fixed
- Fixed incorrect YAML parsing of strings like
nan, where the strings were interpreted as a float instead of a string. - Fixed a bug that prevented taint tracking through
newin Java projects. - Semgrep now substitutes metavariables for their values in a deterministic order to ensure keys for match-based IDs are stable.
- Error messages are logged, but not displayed as pop-ups in IDEs.
⛓️ Semgrep Supply Chain
Added
- Supply Chain’s reachability analysis now covers all high and critical severity CVEs in Python packages from supported sources starting 2017 and onward.
- Supply Chain policies now support the exclusion of conditions. For example, you can define a condition such as
When Reachability is not Always reachable.
🤖 Semgrep Assistant
Added
- Added support for the use of custom AWS Bedrock keys.
🔐 Semgrep Secrets
Added
- Semgrep now logs the amount of time required for the HTTP request to complete when validating Secrets in the debug logs.
Changed
- Semgrep Secrets no longer allows more than 256 outstanding validations at any given time.
🔧 OSS Engine
- The following versions of the OSS Engine were released in August 2025: