Semgrep Product Updates

For Python users, private registries historically presented a blocker to Semgrep Supply Chain features like dynamic dependency resolution, upgrade guidance, and autofix. Now, with Semgrep Network Broker, it’s possible to access those internal resources and avail the full functionality of Semgrep Supply Chain.

The Semgrep API now supports bulk token deletion. Admin, CI, Member, and CLI tokens each have a dedicated deletion endpoint, so covering all four types takes four API calls. For teams that rotate credentials on a schedule or need to revoke access programmatically after offboarding, this replaces the previous manual, one-at-a-time workflow in the UI.

Setting up policies in Semgrep today requires navigating separate configuration for rule mode, blocking vs. monitoring, and per-branch behavior. Unified policies replaces this with a single interface that covers all three and allows more granular customization. All customers now see a migration banner on the Policies page; the migration is self-service and preserves existing behavior. Customers using the legacy policies API, webhook integrations, or the demo org will be migrated in the coming weeks.

Semgrep v1.163.0 ships parallel rule parsing and validation, better data-structure caching, a faster JSON parser, and rule pre-filtering. These changes cause p50 and p75 scan times to fall by ~25-30% (for full and diff scans) versus Semgrep v1.162.0.

Semgrep Guardian detects and resolves vulnerabilities in AI-generated code as it's written inside Claude Code, Cursor, Windsurf, Kiro, and other agentic coding tools. Additionally, we have shipped three curated rule packs: 27 AI Security rules covering prompt injection, unrestricted tool use, and data exfiltration; 122 Pro rules for malicious patterns in agent skill definitions; and 186 Shadow AI rules that surface LLM usage across a codebase. Autofix ships in public beta alongside it, reducing fix PRs for SAST and SCA findings from seven steps to four.

Teams need to know not just which dependencies are vulnerable, but how a vulnerable transitive package connects back to a direct dependency. Dependency path data is now available in two places: SBOM exports include the full dependency graph in the CycloneDX dependencies section, and the Issue API now shows which direct dependency introduced each vulnerable transitive package.

A new self-service contributors report is available on the Usage & Billing page. It lists every contributor who made commits in the last 90 days, along with contributor identity, last contribution timestamp, and the associated repository. Previously, getting this data required opening a support ticket.

Teams building automations around Semgrep findings can now pass status=provisionally_ignored as a filter in the V1 API and get the corresponding findings back. Previously, the API returned all findings regardless of triage state.

Semgrep Autofix, now in public beta, provides contextual remediation guidance, breaking change analysis, and AI-generated fix suggestions directly in pull requests.

For Semgrep Supply Chain findings, Upgrade Guidance identifies which dependency upgrades are safe and flags line-level breaking changes for complex ones. It combines first-party code analysis (how your code uses a package) with third-party code analysis (what changed between versions) via the Semgrep Pro engine, then sends results to an LLM to produce the final breaking change report. Where a safe upgrade exists, developers can generate a PR immediately.

For Semgrep Code findings, Autofix provides tailored fix suggestions using security context from Semgrep and your application's codebase. Fixes can also be triggered via API for fully automated remediation.

Read the announcement blog
Read the docs for Code and for Supply Chain

We're officially in the Cursor Plugin Marketplace. The Semgrep plugin bundles our MCP server, Hooks, and Skills to deliver SAST, supply chain, and secrets scanning on every file an agent touches.

📖 Read the announcement blog
⚡ Install the plugin today: quickstart docs