> ## Documentation Index
> Fetch the complete documentation index at: https://docs.semgrep.dev/llms.txt
> Use this file to discover all available pages before exploring further.

# January 2026

> February 4, 2026 · 4 min read

The following updates were made to Semgrep in January 2026.

## 🌐 Semgrep AppSec Platform

### Added

* You must now authenticate through OAuth when connecting to the MCP server using Streamable HTTP.
* **CLI**:
  * Improved the performance of scan planning by reducing the cost of re-hashing `Target` objects. Semgrep's performance improvement on scans of large projects is proportional to the number of files in the project.
  * In `--debug` mode, Semgrep warns you if you attempt to run a parallel scan with a larger value for `-j`/`--jobs` than the number of CPUs Semgrep has detected as available for use.
  * Semgrep now provides a suggested starting value for `-j`/`--jobs`.
  * `semgrep login` now supports the use of `--force`, which ignores existing tokens and starts a new login session.

### Changed

* Semgrep AppSec Platform's **Findings** page displays more descriptive rule group names, and the **Finding Details** page displays more descriptive rule names. For example, `sequelize-express` is now `SQL injection in Sequelize with Express`.
* The MCP server no longer supports SSE transport.
* **CLI**:
  * Semgrep's CLI tool now uses `uv` instead of `pipenv` for package management.
  * `semgrep ci` no longer applies autofixes to local projects, even if the **Suggest autofixes** toggle in Semgrep AppSec Platform is turned on.

### Fixed

* Fixed an issue where time filters didn't return the correct findings.
* Fixed an issue where Semgrep didn't consistently select the same findings across scans when deduplicating findings. Previously, the selected findings were always equivalent, but they weren't guaranteed to be identical. For example, the findings' metavariable bindings could differ. Depending on the rule used and the target code, this behavior could cause the fingerprints of findings to change from one scan to another.
* Fixed an issue where email addresses used for SSO were case sensitive.
* Fixed an issue where Semgrep AppSec Platform displayed non-shared GitLab projects for the group.

## 💻 Semgrep Code

### Fixed

* Improved the handling of parsing errors during interfile analysis. These errors are now reported to you and included in the JSON output.
* Fix an issue resulting in `bad file descriptor` errors when performing Git operations on Windows machines.
* **Java**: improved virtual method resolution.
* **Python**: Dataflow analysis now accounts for `for/else` and `while/else` loops.
* **Scala**: improved virtual method resolution.

## ⛓️ Semgrep Supply Chain

### Added

* Semgrep’s reachability analysis now covers all **critical** and **high** severity CVEs from supported sources starting in 2017 across **all** supported languages.
* Diff-aware scans are now faster because Git-untracked files no longer slow down subproject discovery.
* Added support for Gradle lockfiles of the form `gradle*.lockfile`. Previously, only files with the exact name `gradle.lockfile` were supported.

### Changed

* Dependency search now allows you to search for one or more packages using:
  * The name of the package
  * An exact version number
  * A range of version numbers

### Fixed

* Improved the performance of Supply Chain scans by reducing pre-computation when printing scan status information. Note that less information is displayed if there are no rules to run.
* Fixed an issue with version range matching for `npm` packages where the version number contained a pre-release identifier, such as `-alpha` in `1.2.3-alpha`.

## 🤖 Semgrep Assistant

### Added

* Members can now create suggested memories for Assistant when triaging findings in Semgrep AppSec Platform. Previously, only admins could do so.

### Fixed

* Fixed an issue where code suggestions that involved removing code didn't render in the diff correctly.

## 📝 Documentation and knowledge base

* Minor updates and fixes.

## 🔧 OSS Engine

* The following versions of the OSS Engine were released in January 2026:

<CardGroup>
  <Card title="1.147.0" icon="code-branch" href="https://github.com/semgrep/semgrep/releases/tag/v1.147.0" horizontal />

  <Card title="1.148.0" icon="code-branch" href="https://github.com/semgrep/semgrep/releases/tag/v1.148.0" horizontal />

  <Card title="1.149.0" icon="code-branch" href="https://github.com/semgrep/semgrep/releases/tag/v1.149.0" horizontal />

  <Card title="1.150.0" icon="code-branch" href="https://github.com/semgrep/semgrep/releases/tag/v1.150.0" horizontal />
</CardGroup>
