The following updates were made to Semgrep in September 2025.Documentation Index
Fetch the complete documentation index at: https://docs.semgrep.dev/llms.txt
Use this file to discover all available pages before exploring further.
🌐 Semgrep AppSec Platform
Added
- Added the ability to filter Secrets findings by branch.
- Added a confirmation pop-up when switching between the Production and Pre-production views.
Changed
- Jira: the Semgrep Jira integration now automatically creates Jira tickets for Semgrep Code and Semgrep Secrets findings with a critical severity level.
Fixed
- Jira: Team information now loads when the user attempts to map to the Team custom field.
- Supply Chain’s Advisories filter now filters based on the correct field.
- Fixed the handling of invalid GitHub refresh tokens. If a user’s GitHub refresh token is invalid, Semgrep prompts the user to log in again.
- Minor UI fixes.
💻 Semgrep Code
Added
- Added the
semgrep mcpsubcommand to the Semgrep CLI tool, which runs the Semgrep MCP server. - Improved pre-filtering for taint rules, primarily when taint labels are used.
- Scala: Added support for method dispatching through traits.
- TypeScript: improved name resolution for destructuring parameters.
Changed
- The Semgrep MCP server repository has been moved from semgrep/mcp to semgrep/semgrep.
- Updated
semgrep-interfacesto accept only valid language keys for rules in Semgrep Editor. - Semgrep now filters
SEMGREP_APP_TOKENfrom any request made to non-Semgrep URLs passed to-f/-c/--configwhen fetching configurations and rules. - Python: Fixed an issue involving the resolution of implicit namespace modules.
- TypeScript:
- Fixed an issue where the pattern
var $X = $FUNC($REQ, $RES, ...) {...}didn’t parse correctly. - Improved the performance of
tsconfig.jsonmatching for TypeScript projects that contain multipletsconfig.jsonfiles.
- Fixed an issue where the pattern
Fixed
- Glob patterns containing
\#or\in.semgrepignoreand included.gitignorefiles are now interpreted correctly. - Updated
opentelemetry-*packages to removepkg_resources is deprecatedwarnings. - Dart: Fixed an issue in language processing to return better results.
⛓️ Semgrep Supply Chain
Added
- Supply Chain’s reachability analysis now covers all high severity CVEs from supported sources starting from 2017 for JavaScript packages.
🔐 Semgrep Secrets
Added
- Slack notifications for Semgrep Secrets is now publicly available.
📝 Documentation and knowledge base
Added
- Added instructions for connecting Semgrep to GitHub Enterprise Cloud with data residency.
- Added the following knowledge base articles:
🔧 OSS Engine
- The following versions of the OSS Engine were released in September 2025: