Semgrep release notes for April 2024
๐ Semgrep AppSec Platformโ
Addedโ
- The Teams feature, which provides project-level role-based access control (RBAC), is now in public beta. This feature enables you to assign members to teams, and then grant those teams access to specific projects (repositories added to Semgrep).
- Teams are crucial to large organizations with hundreds of members and projects. See Manage user access to projects.
- The Dashboard now displays the Assistant priority inbox, a list of essential tasks that Semgrep Assistant prepares for you each time you log in.
Changedโ
- Editor and playground: Structure mode has replaced simple mode. Try it out in the Playground. Structure mode facilitates the creation of valid Semgrep rules for both power and new users.
- Semgrep Cloud Platform has been renamed to Semgrep AppSec Platform.
- The Dashboard now has several UX improvements.
- The default Bitbucket YAML configuration file has been updated with options for full, diff, and on-demand scans.
- Improved the process of creating a GitHub Enterprise private Semgrep app.
- Settings: The Semgrep Pro Engine toggle has been renamed to Cross-file.
Fixedโ
๐ป Codeโ
Addedโ
- Added support for the QL language, which is used by CodeQL.
- Added the ability to specify multiple output flags, which allows users to write output to multiple files in multiple formats, such as SARIF and JSON. For example:
# prints findings in text to standard out and writes JSON output to `findings.json`.
semgrep ci --json-output=findings.json
- Added the ability to copy autofix suggestions displayed on the Findings page.
- Added the ability to filter findings generated by Pro rules on the Findings page.
- Added dataflow traces to the SARIF output obtained from the CLI.
Changedโ
- Cross-function (intrafile) analysis is now the default for Semgrep Code.
- Updated how Semgrep parses regex; some rules may need to be updated to comply with stricter regex standards.
Fixedโ
- Fixed an issue with interfile diff-aware scans where the removal of pre-existing findings didn't work properly when adding a new file or renaming an existing file.
- Fixed an issue where findings reopened after they were initially removed when the findings metadata was changed.
- Fixed an issue where bulk triage did not work.
- IDE Extensions: Semgrep waits longer for users to log in from the IDE.
- CLI:
- Upon completion,
semgrep ci
sends a message to Semgrep AppSec Platform to mark the scan as completed. - Fixed an issue where
semgrep ci --oss-only
crashed when Semgrep Secrets was enabled.
- Upon completion,
โ๏ธ Supply Chainโ
Changedโ
- Updated the ecosystem used for Elixir from Mix to Hex.
Fixedโ
- Fixed an issue where tooltips for conditionally reachable vulnerabilities were not being displayed.
๐ค Semgrep Assistantโ
Changedโ
- Assistant usage is now capped by an hourly rate rather than a monthly limit.
Fixedโ
- Fixed an issue where Assistant sent PR or MR comments for Supply Chain and Secrets findings; Assistant should only be doing so for Code findings.
๐ Semgrep Secretsโ
Addedโ
- Added a template to the Semgrep Editor to aid in writing custom rules with validators for use with Secrets. Access this template in the Editor by clicking on the small (+) plus sign and clicking HTTP validators
Changedโ
- Users with access to Secrets can view the Rules > Policies > Secrets page, even if they have Secrets disabled.
Fixedโ
- Fixed an issue where the Secrets page filters disappeared after users selected a single filter.
- Fixed an issue where historical scanning for credentials leaked in Git commits ran on diff-aware scans instead of on full scans.
- Fixed an issue where users without access to Secrets could still see Secrets settings in Semgrep AppSec Platform.
๐ Documentation and knowledge baseโ
Addedโ
- Added the following new documents:
- Semantic detection in Java - describes how Semgrep reduces false positives through its understanding of the Java language.
- How to scan your Git history (beta).
- Write custom validators
- Added two additional glossaries:
- Static analysis and rule writing glossary
- Semgrep Code glossary
- Added a new section for user management on Teams (beta), an access control feature that enables administrators or managers to assign projects to specific team members.
- Expanded the documentation on Semgrep Assistant's new features.
Changedโ
- Renamed occurrences of Semgrep Cloud Platform to Semgrep AppSec Platform.
- Edited the Semgrep FAQ for clarity and correctness.
- Renamed instances of Pro Engine to cross-file or interfile analysis.
- Rearranged documents under Semgrep Code to better reflect the user journey.
- Updated documentation on how Semgrep differentiates between Fixed and Removed statuses.
- Updated the sample Bitbucket Pipelines CI configuration file
- Minor additions and updates:
- How Semgrep computes user limits across multiple orgs.
- Findings retention policy.
- The following knowledge base articles have been updated:
Fixedโ
- Fixed some broken links to redirect to the correct doc.
- Standardized the disuse of trailing slashes in docs URLs.
๐ง OSS Engineโ
The following versions of the OSS Engine were released in April 2024:
Not finding what you need in this doc? Ask questions in our Community Slack group, or see Support for other ways to get help.