← Back to all sparks
S

Semgrep

INFRA · APIS
Velocity5.0

Fast, open-source static analysis for finding bugs and security issues.

Semgrep grinds out weekly gains in language coverage, scan speed, and supply-chain depth

sastsupply-chainstatic-analysisperformancesecrets
Current state
Semgrep is on a steady weekly release train dominated by language-parser fidelity (Dart, Scala, PHP, Python, Java), engine startup and scan performance, and supply-chain plus secrets tooling. Recent releases added transitive dependency-path reporting, binary-file skipping by default, and configurable rule validation, alongside repeated hardening against credential leaks in CI output and telemetry.
Where it's heading
The direction is incremental breadth and speed rather than new product surface: more languages parsed accurately, faster rule loading and parsing, and deeper Pro interfile taint analysis. Supply-chain reachability and secrets validation keep getting attention, signaling those remain the commercial focus over the open-source CLI.
Prediction
Expect continued weekly point releases extending interfile and taint analysis to more languages and further trimming scan startup time; no single release in view signals a directional shift.

Recent moves

  1. 20h ago

    Dart parser updated to a newer upstream version

    Infra release bumping the Dart parser to a newer upstream version — part of Semgrep's routine language-grammar maintenance, no user-visible behavior change.

    View source ↗
  2. 15d ago

    Transitive supply-chain dependency paths; libpcre2 replaces libpcre

    Adds an experimental flag exposing full transitive dependency paths for supply-chain findings, relabels malicious-package rules as 'Malicious', and completes the migration off deprecated libpcre 8.x to libpcre2. Continues the supply-chain and engine-hygiene investment.

    View source ↗
  3. 22d ago

    Skips binary files by default; org-wide nosemgrep control

    Skips binary files by default via magic-byte detection, adds org-wide control over nosemgrep inline ignores, and extends constant-propagation folding to more operators. Incremental scan-quality and governance gains.

    View source ↗
  4. 28d ago

    Experimental cross-file taint for Gosu; parsing and token fixes

    Adds experimental Pro cross-file taint tracking for Gosu, plus parsing fixes across Python and radix-prefixed integer literals and a fix so the API token is no longer stored when supplied via env var. Deepens interfile analysis and tightens credential handling.

    View source ↗
  5. 1mo ago

    Match-context size limit and configurable rule validation

    Introduces a match-context size limit to keep minified-file output manageable and replaces the old validation flag with a configurable full/core-only/none rule-validation option. Ergonomics and output-control refinements.

    View source ↗
  6. 1mo ago

    Dart typed metavariables; cgroup-aware memory for Pro scans

    Adds Dart typed metavariables and interpolation matching, makes Pro interfile-scan memory limits adapt to cgroup limits instead of a fixed ceiling, lowers the glibc requirement to reach RHEL 9 and AL2023, and fixes baseline-diff false positives. Broad usability and correctness work.

    View source ↗