> ## Documentation Index
> Fetch the complete documentation index at: https://docs.semgrep.dev/llms.txt
> Use this file to discover all available pages before exploring further.

# June 2025

> July 18, 2025 · 6 min read

The following updates were made to Semgrep in June 2025.

## 🌐 Semgrep AppSec Platform

### Added

* You can now customize PR and MR comments to provide additional context to the comments generated by Semgrep.
* Rules validation is now parallelized to improve performance when Semgrep scans use many rule files.
* Semgrep now respects `ALL_PROXY`, `HTTP_PROXY`, `HTTPS_PROXY`, `NO_PROXY`, `PROXY_USERNAME`, and `PROXY_PASSWORD` for all networking, including networking done through the OCaml components. Additionally, the environment variable
  `OCAML_EXTRA_CA_CERTS` now allows additional CA certificates to be used for network operations done by OCaml components.

### Changed

* The **Sign up** and **Log in** page has been redesigned.
* The **Finding details** page has been redesigned and unified across all Semgrep products.
* The **Settings > Deployment** page in Semgrep AppSec Platform has been removed and reorganized into a **General** page that features sub-tabs for individual uses and Semgrep products.
* Search and pagination on the **Settings > Source code managers** page have been improved, resulting in better load times and smoother navigation.
* Restored links to the same finding on other branches on the finding's details pages.
* **Jira**:
  * Semgrep AppSec Platform now displays information about Jira ticket creation in the **Activity** section of the **Finding details** page. You can check if a ticket was successfully created or if an error occurred during ticket creation.
  * Semgrep organization members can now create Jira tickets for findings.

### Fixed

* Fixed an issue where `semgrep ci` logs in GitLab return incorrect URLs with the wrong `&ref=...` argument.
* Fixed an issue where Semgrep Managed Scan was enabled on projects tagged as `local_scan`.
* Fixed an issue where scan logs show that pull request or merge request comments were successfully posted when the comments were not posted.
* Fixed an issue where Semgrep AppSec Platform did not account for community seats when calculating license usage.
* `nosemgrep` ignore comments no longer require exactly one leading space, allowing for more commenting styles.
* The Semgrep findings returned by the Semgrep Language Server (LSP) are now sorted correctly based on their location within files. This benefits the Semgrep IDE extensions, including VSCode and IntelliJ.
* Various UI fixes.

## 💻 Semgrep Code

### Added

* Added type inference for `mod`, floor division, and `pow`.

### Changed

* JSON output now includes basic profiling data.

### Fixed

* Fixed an issue where taint rules that use the experimental feature *labels* and specify sinks with a `requires:` of the form `not A` could produce findings with an empty list of traces, potentially causing Semgrep to crash.
* Fixed an issue where the empty Python fstring `f""` wasn't matched by the pattern `...`.
* Fixed an issue where a multiplication expression of `int` isn't considered an `int`.
* Fixed an issue where `2 * groups` isn't considered an `int` when `groups` is an `int`.
* **Go**: fixed an issue where `case` statements with ellipses didn't match patterns correctly.
* **JavaScript**: fixed an issue where JavaScript autofix code suggestions break syntax for `if` statements by consuming parentheses.
* **Python**: fixed a regression that could cause naming to take a disproportionate amount of time, significantly slowing down scans.
* **TypeScript**: fixed an issue with stack overflow and out-of-memory issues when parsing TypeScript configurations.

## ⛓️ Semgrep Supply Chain

### Added

* Support for **PHP** reachability is now in **public beta**, which means that Semgrep offers 98% coverage for **Critical** severity issues, plus some coverage for **High** severity issues.
* You can now customize Supply Chain policies using CVEs as a filtering condition.
* Policies now accept custom CVE options to allow the selection of CVEs for which there are no current findings associated.
* Scan logs now report dependency resolution errors that result from local builds by default.
* Added the reporting of subproject dependency resolution to JSON output.
* **C#**:
  * [Dependency Paths](/semgrep-supply-chain/dependency-search#view-the-dependency-path) for C# projects using NuGet are now in **public beta**.
  * Dependency parsing now handles dependencies with `Project` transitivities.
  * Semgrep can scan NuGet codebases without the need for a lockfile. This feature is in **public beta**.

### Changed

* The filter for malicious dependency findings are now included in the existing **Reachability** filter.

### Fixed

* Fixed an issue where missing version constraints in `yarn.lock` descriptors caused parsing errors.
* Fixed an issue where packages were misidentified by adding support for npm aliasing in package-lock.json.
* Fixed an issue where Jira tickets weren't created for some Supply Chain findings.
* Fixed an issue where archived repositories were accidentally scanned by Semgrep Managed Scans for Supply Chain findings.
* Semgrep no longer parses `build.gradle.kts` files as `build.gradle`.

## 🤖 Semgrep Assistant

### Added

* Memories can now be scoped to a rule's vulnerability class, which are the same groupings that exist on the policies page.
* Organization members can suggest memories for approval by admins.
* Semgrep now sends out emails with information about suggested memories, how many findings each memory affects, and the links to review the memories in Semgrep AppSec Platform.

### Changed

* Organization members can now see memories in addition to admins.
* Active memories now display the name of the person who authored the triage note that Assistant used to create the memory.
* Memories created by Semgrep are now labeled as created by Assistant.

### Fixed

* Fixed an issue where changes made to the **Allowed AI providers** dialog weren't saved.

## 🔐 Semgrep Secrets

### Added

* You can now create memories for generic secrets, allowing you to create and apply custom rules for secret detection through Assistant.

### Fixed

* Fixed an issue where files excluded in `.semgrepignore` were also applied to Secrets scans. Semgrep now scans files that have been excluded from Code and Supply Chain scans for leaked secrets.

## 📝 Documentation and knowledge base

### Added

<CardGroup>
  <Card title="Enable source code manager code access" icon="key" href="/semgrep-appsec-platform/scm-code-access" horizontal />

  <Card title="Run a successful proof-of-value (POV) trial with Semgrep" icon="check-circle" href="/run-a-successful-pov" horizontal />

  <Card title="Knowledge base: Search, filter, and sort findings in Semgrep AppSec Platform" icon="search" href="/semgrep-appsec-platform/scm-code-access" horizontal />
</CardGroup>

### Fixed

Minor corrections and typo fixes.

## 🔧 OSS Engine

* The following versions of the OSS Engine were released in June 2025:

<CardGroup>
  <Card title="1.124.0" icon="code-branch" href="https://github.com/semgrep/semgrep/releases/tag/v1.124.0" horizontal />

  <Card title="1.125.0" icon="code-branch" href="https://github.com/semgrep/semgrep/releases/tag/v1.125.0" horizontal />

  <Card title="1.126.0" icon="code-branch" href="https://github.com/semgrep/semgrep/releases/tag/v1.126.0" horizontal />

  <Card title="1.127.0" icon="code-branch" href="https://github.com/semgrep/semgrep/releases/tag/v1.127.0" horizontal />
</CardGroup>
