Skip to content

Releases: semgrep/semgrep-interfaces

Release v1.137.0

18 Sep 23:39
@semgrep-ci semgrep-ci
v1.137.0
f276866
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
Release v1.137.0 Latest
Latest

1.137.0 - 2025-09-17

Added

  • pro: typescript: Improved name resolution for destructuring parameters. (code-9088)
  • Added a new semgrep mcp subcommand, which runs the Semgrep MCP server, which previously
    used to live at https://github.com/semgrep/mcp. That repository will be deprecated
    as of this release, and future MCP contributions / issues should go into this repo. (saf-2239)

Changed

  • Update semgrep-interfaces to only accept valid lanugage keys for editor (PR-4600)

Fixed

  • Fix incorrect interpretation of \# and \ in glob patterns found in
    Semgrepignore and included Gitignore files. (fix-glob-escape)
  • Removed pkg_resources is deprecated warning by bumping opentelemetry-*
    packages (gh-11069)
  • Fixes an issue in Dart language processing to return better results (gh-11173)
Assets 3
Loading

Release v1.136.0

09 Sep 22:21
@semgrep-ci semgrep-ci
v1.136.0
85c728e
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
Release v1.136.0

1.136.0 - 2025-09-09

No significant changes.

Loading

Release v1.135.0

03 Sep 20:25
@semgrep-ci semgrep-ci
v1.135.0
85c728e
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
Release v1.135.0

1.135.0 - 2025-09-03

No significant changes.

Loading

Release v1.134.0

27 Aug 23:59
@semgrep-ci semgrep-ci
v1.134.0
a08dc2f
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
Release v1.134.0

1.134.0 - 2025-08-27

Added

  • pro: First version of inter-file (whole-program) analysis for Scala. (code-9029)
Loading

Release v1.133.0

22 Aug 17:27
@semgrep-ci semgrep-ci
v1.133.0
232d8c4
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
Release v1.133.0

1.133.0 - 2025-08-22

Added

  • Pro: improved prefiltering for interfile rules. This allows the engine to skip
    interfile rules earlier in the process when we determine they cannot match in a
    given scan, which should improve performance. (code-8524)
  • Semgrep will now display emotional support ascii art and a backtrace, with function names and sometimes files/line #s, when it segfaults, or receives other similar critical signals (pretty-segv)

Fixed

  • Pro: Fixed a bug that prevented taint tracking through new in some cases. (code-9047)
  • We now substitute metavariables for their values in a deterministic order to
    ensure keys for match-based IDs are stable. (gh-4459)
  • Fixed incorrect YAML parsing of strings like nan as well as some more
    obscure cases that were interpreted as a float instead of a string. This
    might affect any area of Semgrep that deals with YAML files containing
    the string nan. (yaml-float-parsing)
Loading

Release v1.132.0

14 Aug 21:27
@semgrep-ci semgrep-ci
v1.132.0
7f4eda2
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
Release v1.132.0

1.132.0 - 2025-08-14

Added

  • PHP: When enabling option taint_assume_safe_booleans the return values of
    boolval, is_bool, and || will be considered safe.
    When enabling taint_assume_safe_numbers the return values of intval,
    floatval, +, -, *, / and % will also be considered safe. (php)
  • When performing secrets validation, the amount of time that the HTTP request
    took to complete will now be visible in the debug logs. (#2130)
  • Introduces a timeout to internal HTTP requests, to prevent remote endpoints
    from indefinitely hanging the engine. (#4295)

Changed

  • Pro scans will no longer attempt to parse tsconfig files for non-typescript scans. (gh-4407)

Fixed

  • Language server: Made it so that errors which occur no longer pop up in while using the
    IDE. They still log, but will no longer be displayed via UX. (saf-2193)
  • When validating the results of a secrets scan, do not have more than 256
    outstanding validators executing at a given time. (#2130)
Loading

v1.132.1

14 Aug 23:16
@brandonspark brandonspark
v1.132.1
98893da
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
v1.132.1

Full Changelog: v1.132.0...v1.132.1

Loading

Release v1.131.0

31 Jul 07:40
@semgrep-ci semgrep-ci
v1.131.0
3ce3539
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
Release v1.131.0

1.131.0 - 2025-07-30

Fixed

  • Semgrep diff scans can now query the app for which merge base to use. This fixes the issue where some diff scans on shallow clones would use the wrong merge base, and do a diff scan on commits not in a PR. (better-merge-base)
  • Fix a possibility that an empty file be created in place of a missing input file. This bug had been introduced with Semgrep 1.115.0. (dont-create-missing-input-files)
  • When processing a target with debug logging enabled, we now only log the target
    path rather than the entire internal structure representation. This allows for
    more succinct log files and no longer introduces mid-entry newlines, which can
    break log-parsing tooling. (gh-4315)
  • Language server: Fixed a bug which broke the Sign in command (saf-2151)
  • CiScanComplete.dependencies is now populated with parsed dependencies (sc-2468)
  • Print error details when a SemgrepError exception is raised and causes semgrep to fail. (silent-semgrep-error)
Loading

Release v1.130.0

24 Jul 03:16
@semgrep-ci semgrep-ci
v1.130.0
aa4b895
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
Release v1.130.0

1.130.0 - 2025-07-23

Fixed

  • Fix the Python parser to correctly handle and parse valid structural dictionary patterns. (gh-11100)
Loading

Release v1.128.0

03 Jul 20:22
@semgrep-ci semgrep-ci
v1.128.0
80fa4d2
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
Release v1.128.0

1.128.0 - 2025-07-03

Added

  • HTTP{,S}_PROXY=... now accepts URIs without a scheme (e.g HTTP_PROXY=domain.com:port) (saf-2082)

Fixed

  • Java: Deprecated class $A partial class pattern, in favor of 
    class $A { ... }
``` (safe-2104)
Loading