Semgrep Product Updates

Semgrep Supply Chain’s new Dependency Graph empowers AppSec engineers to secure their software with greater efficiency. By combining the new Dependency path visualization and an enhanced lockfile workflow, it eliminates blind spots, reduces manual research, and speeds up prioritization and remediation.

The Dependency path visualization maps all dependencies—direct and transitive—showing exactly where vulnerabilities exist, even across multiple layers and paths. For package managers without standardized lockfiles like Maven and Gradle (what is covered in this product update), Semgrep reconstructs dependency trees to surface vulnerabilities.

These updates make onboarding and scanning repositories faster and more adaptable, regardless of workflow. Dependency Graphs are now in beta— please reference our announcement blog post for more details.

We are excited to announce that Semgrep Supply Chain now has dataflow reachability coverage for Scala and Swift – users will now be able to see complete reachable and unreachable results in their Supply Chain findings.

With these two languages, we now officially support full dataflow reachability for 10 languages, which reduces noise attributed to false positives by as much as 98%, saving hours of developer time so they can focus on the most impactful security risks.

Read the announcement blog post for more information.

Customers will now be able to see a "Teams" filter on the reporting page under "Filters". There is a new RBAC setting (on by default) that only shows users reporting data from the teams that they are part of, and a new multi-select filter allows users to select which of their teams to include.

Admins will of course have access to all teams.

Happy scanning!

Developers are now able to specify triage reasons (false positive, acceptable risk, and other) in the PR comment flow, and AppSec teams can now filter findings based on these reasons in the Semgrep UI.

Developers will be able to access the following PR commands in Github, and all instructions will be clearly provided to developers as part of the PR comment:

• /fp <comment> For triaging a finding to ignored with the triage reason "false positive"

• /ar <comment> For triaging a finding to ignored with the reason "acceptable risk"

• /other <comment> For triaging a finding to ignored without any specific reason "No triage reason"

  • Note: These are the same as the previous /semgrep ignore functionality

• /open To re-open a finding

  • Note: This is the same as the previous /semgrep open functionality

• /remember <comment> For adding Assistant memories.

  • Note: This is the same as the previous /semgrep remember functionality

Please note that all previous commands are still supported for backwards compatibility. For example: previous commands /semgrep ignore , /semgrep open , /semgrep remember will continue to be available, and developers may continue to use these commands.

Support is currently limited to Github, but is coming soon for Gitlab customers!

Kotlin in your codebase now gets reachability analysis with Semgrep Supply Chain. An addition to our coverage driven by partnership with our customers and users, Kotlin becomes the eighth language to receive reachability on our supply chain platform.

Read the announcement blog post for more information.

We’re excited to announce revamped reporting capabilities in Semgrep, which bring  increased levels of clarity to your production backlog, developer engagement levels, and overall security posture. Along with recently released views of secure guardrails adoption, these new capabilities give AppSec teams more visibility than ever before into the security metrics that matter for their teams.

Check out the docs or read the announcement blog post.

We’ve supercharged Semgrep Code’s Python support with new, framework-specific analysis capabilities. The engine now tracks implicit data flows in popular frameworks like Django, FastAPI, and Flask, providing accurate detection of impactful security issues (OWASP Top Ten) for nearly 100 common Python libraries.

For most SAST products, framework coverage starts and ends with rule support. Semgrep Code now has framework-specific analysis capabilities built into the engine, meaning it can reason about Python source code in the context of specific frameworks. This ensures that implicit flows are captured and analyzed effectively.

As a result, benchmarks show an 84% true positive rate for our updated Python support. For benchmark details, or to learn more about our new framework coverage in Python, read the announcement blog!

We've launched SCM support for Azure Devops Cloud (ADOC) and Bitbucket Data Center (BBDC)!

Users can now self-serve these SCMs by navigating to Settings > SCM and clicking the corresponding button. Users can also test the connection to ensure it has been set up correctly.

What features are supported?

• PR Comments (Semgrep Code)

  • We’ve introduced Semgrep Code PR comments for both Azure DevOps Cloud and Bitbucket Data Center

  • This includes both inline comments and unanchored comments for individual and grouped findings, respectively.

• PR Comments (Semgrep Supply Chain - license violations)

  • These are now available for both Azure DevOps and Bitbucket Data Center, ensuring developers will always use compliant dependencies.

• Hyperlinks in the findings UI

  • Finding hyperlinks for both Azure DevOps and Bitbucket Data Center work across all parts of the findings UI (commit URL, branch URL, line of code URL, etc.).

  • The findings experience for both ADOC and BBDC are now at parity with other supported SCMs.

Semgrep’s updated Jira integration brings AI-generated remediation guidance directly to developers in Jira tickets. Additionally, Semgrep scans can now automatically trigger ticket creation for high-priority issues, reducing manual workload for vulnerability tracking and triage.

Check out the docs or read the announcement blog post.

You can now sort projects by name and last scan time on the projects page. This gives teams more visibility into scans and coverage across repositories (particularly for organizations using Semgrep managed scanning) so they can better troubleshoot failing scans or just get an overview of scan cadence.

Note that scans that were never completed currently appear before the latest scans - in a future update these projects will at the bottom of the list.