Skip to main content

March 2026

ยท 8 min read

The following updates were made to Semgrep in March 2026.

๐ŸŒ Semgrep AppSec Platformโ€‹

Addedโ€‹

  • Semgrep's AI-powered detection is now available in beta. With AI-powered detection, you can automatically identify complex business logic flaws, such as insecure direct object references (IDORs) and broken authorization.
  • Semgrep is now available as a Cursor and Claude Code plugin, providing automatic security scanning for Code, Supply Chain, and Secrets on every file.
  • Added Duplicate as a triage reason for findings when multiple rules identify the same issue or when the same issue is tracked elsewhere.
  • Findings can be linked to an existing ticket URL or have linked tickets removed when a ticketing integration is configured. Linking a ticket replaces any existing ticket associated with the selected findings.

Changedโ€‹

Click to Fix has been renamed to Autofix

  • On the Rules & Policies > Policies page, the Projects scanning column now replaces the previous global on/off toggle. You can scope each rule to all projects, selected projects or tags, all projects with exceptions, or disable the rule for all projects. A drawer provides project search, filters, and bulk selection.
  • Billing & Usage updates:
    • When a deployment enforces AI credit limits, Semgrep AppSec Platform now shows alerts for low or exhausted credits and disables all AI features. If enforcement is off, these credit indicators stay hidden.
    • Contributor counts reflect the last 90 days of activity, instead of 30.
    • Billing timezones default to UTC for new organizations on usage-based billing.
  • The Findings page now loads code snippets after the main finding details. Slow or unavailable source code managers are less likely to block the page or cause timeouts.
  • Simplified GitHub onboarding by requiring only a single GitHub App installation instead of two. Existing users can now uninstall the public GitHub App if previously installed.
  • GitHub.com source code manager connections can now be added without requiring GitHub SSO login, and users can connect multiple GitHub organizations.
  • Improved member invite emails so invitations clearly require authorization through one of your accepted login methods.
  • Package registry integration settings under Settings > Integrations > Registry now include an option to use the Semgrep Network Broker when a registry is only reachable through your private network.
  • Improved load times for the Projects page, Policies registry search, and source code repository sync for large deployments.
  • Added support for agentic hooks in Windsurf IDE.

Fixedโ€‹

  • Fixed a security vulnerability in SAML login handling, application container run web services, and read-only permissions.
  • With RBAC enabled, read-only users can no longer trigger scans from the Semgrep AppSec Platform or API.
  • Added server-side validation to enforce the 3,000-character limit for triage notes across all API endpoints.
  • Fixed findings links across Semgrep products so shared URLs, bookmarks, dashboard shortcuts, and notification links preserve the correct branch and tab context.
  • Fixed Settings page scroll behavior so top-level tabs stay visible after load.
  • Fixed an issue where invalid webhook configurations would cause the Integrations page to become unusable.
  • The Enable Secrets button now links to the correct Settings page.
  • Fixed an issue where custom policies with no rules assigned would cause the Policies page to load indefinitely.
  • Fixed an issue where the Policies page would crash when rulesets contained soft-deleted rules.
  • Fixed an issue where filtering by rule mode on the Code Findings page would break the project filter, causing findings from all projects to appear.
  • Fixed Findings page scroll when nested lists were still collapsed.
  • Fixed an issue where findings with the status Reviewing had no action to continue triage. Mark as open in the finding menu sets the finding to Reopened.
  • Fixed an issue where OpenID Connect SSO login could fail after recent provider updates that require the iss parameter.
  • Fixed an issue where Slack notifications were missing merge request hyperlinks for self-managed GitLab instances with custom domain names.
  • Fixed an issue where API errors could lead to the RBAC enablement screen incorrectly being displayed for deployments that already had RBAC enabled.
  • Fixed an issue where Azure DevOps Cloud was incorrectly classified as an on-premise source code manager, causing incorrect warnings and blocking setup for valid cloud configurations.
  • Fixed an issue where automatically setting up the same repository in multiple Semgrep projects could trigger duplicate diff-aware scans. Semgrep now auto-configures diff-aware scans only for the first linked project. Additional linked projects continue to receive automatic full scans, and diff-aware scans can still be configured manually.
  • Fixed an issue where bulk ignore required a comment when changing provisionally ignored findings to ignored, even though a comment is optional.
  • Added validation to reject bulk triage API requests that provide neither issue_ids nor filter criteria, preventing accidental triage of all findings.
  • Fixed an issue where bulk ignore required a comment before you could submit when changing provisionally ignored findings to ignored, even though a comment is optional for that action.
  • Fixed several issues with AI credits billing and usage:
    • AI credits no longer show as zero on Billing & Usage when there are active credit grants.
    • AI credits are no longer counted more than once for organizations with multiple licenses.
    • AI credits no longer expire before the subscription ends for prorated or multi-year plans.

๐Ÿ’ป Semgrep Codeโ€‹

Addedโ€‹

  • Autofix is now in beta for Semgrep Code, extending AI-generated draft pull requests (PRs) to Code findings in addition to Supply Chain findings.
  • The Code page now shows AI-powered detection findings and rule-based scan findings, with filters to help you view each type separately.
  • Added beta support for PowerShell.

Changedโ€‹

  • Updated Kotlin tree-sitter parser to the latest grammar.
  • Scala: improved taint tracking through lambda calls and cross-file tracking for globals, and improved type and call resolution.

Fixedโ€‹

  • Fixed the finding's Details page so the Rule-defined fix tab also appears for rules that define a regex-based fix, not only rules that use a standard fix field.
  • Fixed path filtering when scanning single files to correctly match project-relative patterns like /src/test/**/*.java.
  • Fixed various parsing issues in Rust, Python, and Kotlin.
  • Improved error reporting by reporting target file discovery errors as warnings instead of silently ignoring them.

โ›“๏ธ Semgrep Supply Chainโ€‹

Addedโ€‹

  • Dependency scanning for Java and Kotlin projects without lockfiles is now in public beta. Maven, Gradle, Artifactory, Nexus Cloud, and on-premises source code managers are supported.
  • Added an admin-only API endpoint that allows you to re-run upgrade requirements analysis for Supply Chain findings. Each request can include up to 10 issues.

Changedโ€‹

  • Supply Chain dependency search includes an Exact match option so you can use strict package-name matching or substring-style matching.
  • Added Autofix filters to the Supply Chain findings. Supply Chain Autofix PRs and MRs now display detailed descriptions.
  • Supply Chain finding Details pages now show reachability in only one place instead of twice.
  • Simplified Upgrade Guidance filters on Supply Chain findings. Breaking is now a single filter that matches any breaking-change type.
  • Disabling Semgrep Multimodal turns off Supply Chain Upgrade Guidance, so it is not left enabled without model providers; dependency processing also skips starting Upgrade Guidance when no AI providers are configured.
  • Supply Chain periodically refreshes cached dependency license metadata from upstream sources so license identifiers stay closer to current System Package Data Exchange (SPDX) data.
  • Supply Chain analysis of npm package lock files now uses a proprietary parser and is available only to Semgrep Pro users.

Fixedโ€‹

  • Fixed an issue where Supply Chain Autofix selected the wrong workflow when the ecosystem set from the browser did not match the ecosystem on the finding from the scan.
  • Fixed an issue where the custom dependency exception modal would not accept version numbers without a patch component, for example 1.19, blocking exceptions for packages that don't follow strict semantic versioning.
  • Fixed an issue where searching for dependencies with special characters, like :, in their names would fail with an error.
  • Fixed an issue where the Safe Upgrade Guidance filter would incorrectly include findings with no Upgrade Guidance available.
  • Fixed a security issue with the Supply Chain upgrade requirements API endpoint.
  • Fixed a security issue in the Supply Chain dependency path API endpoint.
  • Fixed requirements.txt parser silently dropping pinned dependencies that followed unpinned package names.

๐Ÿค– Semgrep Multimodalโ€‹

  • Semgrep Assistant is renamed Semgrep Multimodal to better reflect all its AI-powered capabilities.

Fixedโ€‹

  • Fixed Suggested memories failing to load for memories created from PR and MR triage comments.

๐Ÿ” Semgrep Secretsโ€‹

Changedโ€‹

  • Semgrep secret validation now times out after 30 seconds instead of 15 minutes. This timeout is configurable via the --secrets-timeout flag.

๐Ÿ“ Documentation and knowledge baseโ€‹

Changedโ€‹

  • The v1 API reference now documents request bodies for POST, PUT, and PATCH operations instead of showing those inputs as query parameters. GET and DELETE behavior in the reference is unchanged.

๐Ÿ”ง OSS Engineโ€‹