chore(deps): update pre-commit hook returntocorp/semgrep to v1.169.0#179
Open
alma-renovate-bot[bot] wants to merge 1 commit into
Open
chore(deps): update pre-commit hook returntocorp/semgrep to v1.169.0#179alma-renovate-bot[bot] wants to merge 1 commit into
alma-renovate-bot[bot] wants to merge 1 commit into
Conversation
alma-renovate-bot
Bot
force-pushed
the
renovate/tools-and-pre-commit
branch
from
June 12, 2025 04:08
a8a37f1 to
11dea91
Compare
alma-renovate-bot
Bot
force-pushed
the
renovate/tools-and-pre-commit
branch
from
June 18, 2025 20:07
11dea91 to
ba1915d
Compare
alma-renovate-bot
Bot
force-pushed
the
renovate/tools-and-pre-commit
branch
from
June 24, 2025 20:06
ba1915d to
82722c1
Compare
alma-renovate-bot
Bot
force-pushed
the
renovate/tools-and-pre-commit
branch
from
July 4, 2025 00:05
82722c1 to
75800c1
Compare
alma-renovate-bot
Bot
force-pushed
the
renovate/tools-and-pre-commit
branch
from
August 10, 2025 00:09
75800c1 to
edde821
Compare
alma-renovate-bot
Bot
force-pushed
the
renovate/tools-and-pre-commit
branch
from
August 15, 2025 00:08
edde821 to
712caf0
Compare
alma-renovate-bot
Bot
force-pushed
the
renovate/tools-and-pre-commit
branch
from
August 22, 2025 20:05
712caf0 to
1ede29d
Compare
alma-renovate-bot
Bot
force-pushed
the
renovate/tools-and-pre-commit
branch
from
August 28, 2025 09:11
1ede29d to
0cc31bf
Compare
alma-renovate-bot
Bot
force-pushed
the
renovate/tools-and-pre-commit
branch
from
September 4, 2025 00:06
0cc31bf to
2d8200f
Compare
alma-renovate-bot
Bot
force-pushed
the
renovate/tools-and-pre-commit
branch
from
September 10, 2025 00:05
2d8200f to
064c66c
Compare
alma-renovate-bot
Bot
force-pushed
the
renovate/tools-and-pre-commit
branch
from
September 19, 2025 00:06
064c66c to
fe6760b
Compare
alma-renovate-bot
Bot
force-pushed
the
renovate/tools-and-pre-commit
branch
from
September 25, 2025 16:05
fe6760b to
f756173
Compare
alma-renovate-bot
Bot
force-pushed
the
renovate/tools-and-pre-commit
branch
from
October 1, 2025 04:05
f756173 to
edb1108
Compare
alma-renovate-bot
Bot
force-pushed
the
renovate/tools-and-pre-commit
branch
from
October 20, 2025 00:06
edb1108 to
139883e
Compare
|
alma-renovate-bot
Bot
force-pushed
the
renovate/tools-and-pre-commit
branch
from
January 11, 2026 00:10
365b6bb to
a13fef8
Compare
alma-renovate-bot
Bot
force-pushed
the
renovate/tools-and-pre-commit
branch
from
January 18, 2026 04:12
a13fef8 to
6530753
Compare
alma-renovate-bot
Bot
force-pushed
the
renovate/tools-and-pre-commit
branch
from
January 25, 2026 00:11
6530753 to
d91355f
Compare
alma-renovate-bot
Bot
force-pushed
the
renovate/tools-and-pre-commit
branch
from
February 2, 2026 00:10
d91355f to
d003098
Compare
alma-renovate-bot
Bot
force-pushed
the
renovate/tools-and-pre-commit
branch
from
February 7, 2026 20:12
d003098 to
c36e032
Compare
alma-renovate-bot
Bot
force-pushed
the
renovate/tools-and-pre-commit
branch
from
February 21, 2026 04:07
c36e032 to
86b7ef4
Compare
alma-renovate-bot
Bot
force-pushed
the
renovate/tools-and-pre-commit
branch
from
March 1, 2026 00:12
86b7ef4 to
04e2df4
Compare
alma-renovate-bot
Bot
force-pushed
the
renovate/tools-and-pre-commit
branch
from
March 7, 2026 20:06
04e2df4 to
f375765
Compare
alma-renovate-bot
Bot
force-pushed
the
renovate/tools-and-pre-commit
branch
from
March 15, 2026 00:07
f375765 to
9c5f3b4
Compare
alma-renovate-bot
Bot
force-pushed
the
renovate/tools-and-pre-commit
branch
from
April 13, 2026 12:04
9c5f3b4 to
ddc3c9b
Compare
alma-renovate-bot
Bot
force-pushed
the
renovate/tools-and-pre-commit
branch
from
April 14, 2026 00:06
ddc3c9b to
996b024
Compare
alma-renovate-bot
Bot
force-pushed
the
renovate/tools-and-pre-commit
branch
from
April 19, 2026 20:10
996b024 to
be1f350
Compare
alma-renovate-bot
Bot
force-pushed
the
renovate/tools-and-pre-commit
branch
from
April 26, 2026 00:06
be1f350 to
4ac8e86
Compare
alma-renovate-bot
Bot
force-pushed
the
renovate/tools-and-pre-commit
branch
from
May 10, 2026 16:08
4ac8e86 to
796c3ab
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.



This PR contains the following updates:
v1.103.0→v1.169.0v1.170.0Warning
Some dependencies could not be looked up. Check the Dependency Dashboard for more information.
Note: The
pre-commitmanager in Renovate is not supported by thepre-commitmaintainers or community. Please do not report any problems there, instead create a Discussion in the Renovate repository if you have any questions.Release Notes
returntocorp/semgrep (returntocorp/semgrep)
v1.169.0Compare Source
1.169.0 - 2026-07-08
### Infra/Release Changes
v1.168.0Compare Source
1.168.0 - 2026-06-24
### Added
--x-dependency-pathsflag toscanandcithat includes the full dependency path(s) for transitive supply-chain findings in--jsonand--sarifoutput. (SC-3547)### Changed
### Infra/Release Changes
metavariable-regexandmetavariable-comparison(re.match()) runtimes now use the maintained libpcre2 10.x library instead of the deprecated libpcre 8.x. Matching behavior is unchanged. (eval-generic-pcre2)v1.167.0Compare Source
1.167.0 - 2026-06-17
### Added
nosemgrep_disabledfield to the scan configuration so the platform can disablenosemgrepinline ignore comments org-wide for a scan. (APPEX-1122)etc.) during scanning by default, detected via matching file extensions
to known file-format magic bytes Pass
--no-exclude-binary-filestoscan binary files as before. (ENGINE-2708)
### Fixed
semgrep ciwith--sarifnow correctly populates the output'signoresfield with nosemgrep-suppressed findings, in accordance with other output
formatters. (gh-6651)
### Infra/Release Changes
Updated the
ocaml-tree-sitter-coresubmodule to the latest upstreammain, providing(ocaml-tree-sitter-core-bump)
v1.166.0Compare Source
1.166.0 - 2026-06-11
### Added
### Fixed
0x_dead_beef,0o_755,0b_1010_1010). (LANG-533)defandclassdefinitions. (LANG-536)~/.semgrep/settings.yml's storedtoken when the current scan's token is supplied via the
SEMGREP_APP_TOKENenvvar. (SEC-2240)
semgrep ciscans originating from a pre-commit hook will no longer fail withUnable to create '<tmp>/.git/index.lock': Not a directoryin certain cases. (engine-2736)### Infra/Release Changes
v1.165.0Compare Source
1.165.0 - 2026-06-03
### Added
--max-match-context-sizeoption to limit the number of characters of source code included as context for each match in the output. This prevents matches in minified files (e.g., minified JavaScript where the entire file is a single line) from producing enormous output Set to 0 for unlimited, which is the default value. (ENGINE-2117)### Changed
--x-no-python-schema-validationwith a value-taking--x-rule-validation=full|core-only|noneflag. The default (full) preserves existing Python rule validation behavior;core-onlymatches the old flag's semantics (disables Python rule validation and uses semgrep-core RPC validation only);noneskips both pre-validation passes, surfacing rule errors at scan-time.--x-no-python-schema-validationis still accepted as a no-op with a deprecation warning, and will be removed in a future release. (x-rule-validation)### Fixed
validation_errorresults on HTTP secret validators (Facebook, Slack, Stripe, Google, Cloudflare, etc.) by retrying transient network failures, mirroring the retry behavior already present for AWS validators. (SCRT-965)v1.164.0Compare Source
1.164.0 - 2026-05-26
### Added
$X as T) andmetavariable-type,metavariable binding inside string interpolations, and function-definition
patterns that match Dart function definitions. (gh-11678)
### Changed
>=2.35to>=2.34, allowing users on distrosthat ship glibc 2.34 (e.g RHEL 9 & AL2023) to install the semgrep wheel. (gh-11622)
### Fixed
Baseline diff scans (
semgrep ciand--baseline-commit) no longer treat every finding on a file as newly introduced when rule(s) failed during the baseline run.Per-rule failures (for example a timeout for a single rule) on baseline analysis now hide only that rule's matches on that file from the "new vs baseline" comparison.
Other rules on the same file are still taken in comparison for the "new vs baseline" comparison.
Per-file, rule-independent failures now hide all findings on that file from the "new vs baseline" comparison. (LANG-515)
Fixed a yarn.lock parse error on Yarn Berry entries written
in YAML explicit-key form. Affected lockfiles previously failed to parse. (SC-3479)
The (beta) SBT resolver with
--allow-local-buildsnow correctly identifies dependencies as part of the Maven ecosystem. (SC-3522)Fix
--sarif-outputand--sarifcausing nosemgrep-suppressed findings to be reported in CLI scan output and to block scans. Suppressed findings are now correctly excluded from terminal text output, the scan-summary count, and the CLI's exit code. (engine-1824)Fixed a bug that could cause unreliable target filtering in parallel scans. (gh-6313)
Dart: improved parser fidelity for Dart 3 grammar features and routed
pattern parsing for statements beginning with
await,rethrow, and otherstatement keywords. Eliminates a large class of
PartialParsingerrors onreal-world pub.dev packages. (gh-11678)
### Infra/Release Changes
semgrep-core-proprietaryso the binary works whensemgrep install-semgrep-prois invoked, andsemgrepis installed via Homebrew. (pro-binary-homebrew)<case>.named_ast.expectgolden files fortests/intrafile/maturity/fixtures, exercised byUnit_maturity_named_asts. (LANG-287)v1.163.0Compare Source
1.163.0 - 2026-05-13
### Added
### Changed
semgrep cistartup time with App-provided rules by avoiding duplicate semgrep-core rule validation during CLI rule loading while preserving config-style failures for invalid rules. (ci-rule-validation-startup)### Fixed
file written for each transitive-reachability RPC call is JSON content
(
json.dumps([rule.raw])) but was being created with a.yamlsuffix.OCaml's
Parse_rule.parse_filedispatches purely on file extension, so thisrouted every TR rule through
Yaml_to_generic.parse_yaml_file(the slow YAMLpath) instead of
Fast_json.parse_program(the new hand-written RFC 8259parser). Switching the suffix to
.jsonlines the suffix up with the actualcontent and lets every TR rule parse take the fast path. (tr-json-suffix)
v1.162.0Compare Source
1.162.0 - 2026-05-07
### Added
### Changed
semgrep_findingstool: added arefsparameter to filter findings by branch (defaults to the primary branch when not specified), and madeautotriage_verdictoptional so that findings without an AI verdict can also be returned. (engine-2723)### Fixed
importandimportstrnow reject paths that resolve outside therule file's parent directory. (ENGINE-2727)
Authorizationheadervalues from git error messages and from the captured tracebacks sent to
the fail-open telemetry endpoint, preventing leaks of secrets like
CI_JOB_TOKENfrom a failedgit fetchin GitLab CI. Also closesENGINE-2731 (raw, unsanitized tracebacks in fail-open telemetry). (ENGINE-2728)
semgrep cino longer transmits SCM tokens to the Semgrep Platform. (ENGINE-2729)~/.semgrep/semgrep.logor$SEMGREP_LOG_FILE) now respects the requested log level instead of always being written at DEBUG. This narrows the surface for credentials to land on disk via CI runner filesystems or job artifacts; pass--debugto restore the previous behavior. (ENGINE-2730)malicious rule can no longer hang semgrep via mutually-recursive
importsor runtime function calls that recurse forever. (ENGINE-2727-dos)
v1.161.0Compare Source
1.161.0 - 2026-04-22
### Added
### Fixed
details remain available when running with
SEMGREP_LOG_SRCS=cohttp.client. (ENGINE-2712)v1.160.0Compare Source
1.160.0 - 2026-04-16
### Added
### Fixed
other non-BMP Unicode characters. (gh-6070)
schema validation, alongside details of the failure. (gh-6071)
v1.159.0Compare Source
1.159.0 - 2026-04-10
### Fixed
v1.158.0Compare Source
1.158.0 - 2026-04-09
### Added
--no-x-run-taint-onceas a flag. (engine-2468)### Changed
requirement of glibc version 2.35. (manylinux-wheel-tag)
of musl libc version 1.2. (musllinux-wheel-tag)
SEMGREP_DISABLE_CONFIG_DOWNLOAD_V2=1to fall back to the legacy endpoint. (SMS-2284)### Fixed
codeFlows. (engine-2570)v1.157.0Compare Source
1.157.0 - 2026-03-31
### Added
$C.getInstance(...), and thenuse
metavariable-typeon$Cto check its type. (LANG-271)### Changed
### Fixed
metavariable-type. (LANG-271)v1.156.0Compare Source
1.156.0 - 2026-03-17
### Changed
### Fixed
semgrep ciwhen run in a git repo with no remote origin set (gh-11342)v1.155.0Compare Source
1.155.0 - 2026-03-11
### Added
### Changed
Removed the experimental and undocumented command
semgrep install-ci. (osemgrep-install-ci)Migrate from publishing a single Linux wheel with the platform tag
musllinux_1_0_<arch>.manylinux2014_<arch>to publishing two separate wheels:(pypi-linux-tag)
### Fixed
engine no longer spawns more OCaml domains than we have items to process. This
assists with resource utilisation. (engine-2588)
--secrets-timeoutflag. (engine-2593)v1.154.0Compare Source
1.154.0 - 2026-03-04
### Fixed
semgrep ciwith--debugand no blocking findings. The Windows subprocess path incorrectly raised an exception for all pysemgrep exit codes (including 0), which was silently swallowed in normal mode but propagated as a fatal error when--debugwas active. (ENGINE-2491)noticably improve; however, scans may use 5-10% additional memory. If running
in a resource-constrained environment, consider setting the memory policy back
to "aggressive". (engine-2055)
-j) (engine-2512)line (e.g.
semgrep scan $(git ls-files '*.py')) caused one semgrep-coresubprocess to be spawned per file. Roots that are not directories are now
handled directly in Python without any subprocess overhead. (gh-11404)
v1.153.0Compare Source
1.153.0 - 2026-02-25
### Added
for-yield(LANG-193)### Fixed
be considered at the same scope, e.g.
v1.152.0Compare Source
1.152.0 - 2026-02-17
### Added
Hooks (for both Claude Code and Cursor) now pull custom rules from the registry (custom-rules-hooks)
Turned on DNS rebinding protection for the MCP server (dns-check)
Environment variables can now be passed to third-party package managers invoked as part of
--allow-local-buildsdependency resolution via the environment variableSEMGREP_LOCAL_BUILD_ENV, which accepts a JSON object with string keys and string values. (SC-3163)Memory management policies
A memory policy defines how OCaml's garbage collector should be configured for
a scan. There are two initial policies: "aggressive", the current behaviour,
which trades longer scan times for lower memory use, and "balanced", which
finds a middle ground between reclaiming heap memory in short order while
limiting how often the garbage collector runs. The policy can be configured
via the
--x-mem-policyCLI flag for the pro engine; this flag is unused inthe OSS engine. (engine-2055)
Added experimental support for the OpenFGA authorization language. Thanks to Alex Useche (@hex0punk) for the contribution! (gh-11347)
Allows case insensitive string comparisons using lower() and upper() like this:
(gh-11502)
Blocking findings that are outputted in the CI output are now labelled as such. (#4394)
### Changed
is reached. (code-9224)
### Fixed
reduce FPs in some cases. (code-9220)
longer period of time before retrying the request, to spread out requests
during periods of app instability. (engine-2550)
v1.151.0Compare Source
1.151.0 - 2026-02-04
Added
Fixed
glomto at least version23.3, which includes a fix to aSyntaxWarningwarning log. (gh-11460)
v1.150.0Compare Source
1.150.0 - 2026-01-29
Added
Changed
pipenvtouvfor./clipackage management (uv)Fixed
-alphain1.2.3-alpha. (sc-3001)v1.149.0Compare Source
1.149.0 - 2026-01-21
Added
value for -j/--jobs than the number of CPUs we detect the host has made
available to Semgrep. Additionally, a suggested starting value for -j/--jobs
is reported to give the user a place to start tuning their scan. (saf-2474)
Changed
Fixed
the cost of re-hashing
Targetobjects. Performance should improve onlarge repo scans proportionally to the number of files in the repo. (gh-5407)
semgrep cino longer applies autofixes to disk, even when the "Suggest autofixes" toggle in the app is enabled. (saf-2446)v1.148.0Compare Source
1.148.0 - 2026-01-14
Added
significantly slowed down by the presence of Git-untracked files
resulting in faster diff scans in such cases. (sc-subproject-speedup)
Fixed
errors should be adequately reported back to users and in the JSON output. (code-9216)
v1.147.0Compare Source
1.147.0 - 2026-01-07
Added
gradle*.lockfileare now supported. Previously, only lockfiles named exactlygradle.lockfilewere supported. (SC-2999)semgrep loginnow supports a--forceflag, which ignores existing tokens and starts a new login session. The MCP setup workflow has been updated to use--forcetoo. (saf-2392)Fixed
findings were always equivalent, but not guaranteed to be exactly the same
(e.g. metavariable bindings could differ). Depending on the rule and target code,
this could cause findings' fingerprints to change from one scan to another, thus
leading to finding flakiness and "cycling" in Semgrep App. Note that when
upgrading to this Semgrep version, you may see different (but equivalent) findings
wrt your current Semgrep version in the first scan, one more time. However, in
subsequent scans/upgrades, this problem should go away or at least be greatly
reduced. (saf-2304)
v1.146.0Compare Source
1.146.0 - 2025-12-17
Added
record-file-editandstop-cli-scansemgrep mcp flags (cursor-hooks)skipped_pathsfield to CI scan results to report files that failed to scan due to errors (timeout, OOM, etc.), preventing the app from incorrectly marking findings in those files as fixed (gh-5122)semgrep ci. (sc-2927)Changed
mcppython-sdk from1.16.0to1.23.3(mcp-version)analysis in
semgrep ciregardless of app settings is now possible with--x-enable-transitive-reachability(or--x-tr)and
--x-disable-transitive-reachability. (tr-flags)Fixed
v1.145.0Compare Source
1.145.0 - 2025-12-04
Added
Changed
Fixed
let ... inexpressions in OCaml is now reported. Previously, the location of theletwas omitted. This is mainly relevant for autofix. (ocaml-let)Semgrep's managed scanning environment are not emitted if a scan runs outside
that environment. (saf-2321)
v1.144.0Compare Source
1.144.0 - 2025-11-19
Fixed
available CPUs on the system is polled as part of a heuristic to determine how
many threads should be spawned. (gh-4952)
v1.143.0Compare Source
1.143.0 - 2025-11-12
Added
more instances. (code-9141)
domains, rather than the legacy fork-join approach. Users can opt into the
legacy method with the
--x-parmapCLI flag, and this deprecates the--x-eioflag (since it is now the default behaviour). (saf-2271)
-k/ --hookflag to enable Semgrep scans via Claude Code Agent post-tool hooks (saf-2279)Fixed
semgrep scanorsemgrep ci, the progress bar now always ends at 100%. (SAF-2079)analysis (e.g., some branches being misordered, especially when matching
multiple variables against non-integer literal patterns). (code-9144)
accurately match the () type in a
typedeclaration. (gh-11283)v1.142.0Compare Source
1.142.0 - 2025-10-30
Added
matchexpressions in Scala. In examples liketainttox. (code-9085)case $M -> ... :? ... +& test +& ... => ...patterns. (code-9131)Fixed
--allow-local-buildsis passed. (SC-2899)v1.141.0Compare Source
1.141.0 - 2025-10-23
Added
$M -> ... / $X / ...patterns (code-9114)Fixed
Functions in some languages, such as Ruby and Scala, can return a value without an explicit
returnstatement.More expressions, such as string interpolation, are now correctly identified as implicitly returned. (code-9101)
@), soe.g.
case $X @​ ... => ...is now a valid pattern. (code-9130)v1.140.0Compare Source
1.140.0 - 2025-10-16
Added
case 1 => ...to easily matchindividual case clauses within a match-expression. (code-9118)
3.14support. (gh-11250)setup_semgrep_mcpnow supports Claude Code. (saf-2261)Changed
Fixed
0.5for1.0d, and Rust literals like0.5f32or1.0f64would fail to parse and could not be compared. (gh-7968)when the show subcommand fails due to an invalid CLI token. (grow-630)
semgrep/semgrepimages should now contain golangv1.24instead ofv1.23(saf-2240)persisted after a semgrep scan. (saf-2257)
the MCP with the
streamable-httptranport method. (saf-2264)v1.139.0Compare Source
1.139.0 - 2025-09-30
Added
hence producing extra findings. For example, in Java,
list.add(taint)will nowmake
listtainted even if the rule does not explicitly request that. Scan timesshould not be generally affected in a significant way. (code-9103)
{ ... }to match partial functions like{ case 1 => "1" }. (code-9106)dockerfilelanguage (gh-11091)Changed
configparameter from thesemgrep_scantools, to preventagents from inserting unwanted config files to scan with. (saf-2258)
Fixed
{ case ... => ... }patterns. (code-9111)$X > 1 or $Y > 1 or $Z > 1would previously always evaluate tofalse. Now, it will behave as expected. (gh-11209)semgrep_scantool, when invoking the RPC-basedscanning approach, would return JSON output not consistent with the CLI tool. (saf-2250)
semgrep_findingstool now gives a suitable error message when erring dueto insufficient permissions on standard
semgrep logintokens. (saf-2254)the Semgrep Pro Engine installation step would be ignored. (saf-2259)
v1.138.0Compare Source
1.138.0 - 2025-09-25
Added
Changed
taint labels. This allows for the generation of more specific conditions than
the previously released version (v1.133.0). (code-9097)
Fixed
SEMGREP_APP_TOKENfrom any request made to non semgrep URLspassed to
-f/-c/--configduring config/rules fetching. (gh-11016)var $X = $FUNC($REQ, $RES, ...) {...}no longer fails to parse. (saf-2159)
tsconfig.jsonmatching for Typescript projectsthat contain multiple
tsconfig.jsons. (saf-2163)v1.137.0Compare Source
1.137.0 - 2025-09-17
Added
semgrep mcpsubcommand, which runs the Semgrep MCP server, which previouslyused to live at https://github.com/semgrep/mcp. That repository will be deprecated
as of this release, and future MCP contributions / issues should go into this repo. (saf-2239)
Changed
Fixed
\#and\in glob patterns found inSemgrepignore and included Gitignore files. (fix-glob-escape)
pkg_resources is deprecatedwarning by bumping opentelemetry-*packages (gh-11069)
v1.136.0Compare Source
1.136.0 - 2025-09-09
No significant changes.
v1.135.0Compare Source
1.135.0 - 2025-09-03
No significant changes.
v1.134.0Compare Source
1.134.0 - 2025-08-27
Added
v1.133.0Compare Source
1.133.0 - 2025-08-22
Added
interfile rules earlier in the process when we determine they cannot match in a
given scan, which should improve performance. (code-8524)
Fixed
newin some cases. (code-9047)ensure keys for match-based IDs are stable. (gh-4459)
nanas well as some moreobscure cases that were interpreted as a float instead of a string. This
might affect any area of Semgrep that deals with YAML files containing
the string
nan. (yaml-float-parsing)v1.132.0Compare Source
1.132.0 - 2025-08-14
Added
taint_assume_safe_booleansthe return values ofboolval,is_bool, and||will be considered safe.When enabling
taint_assume_safe_numbersthe return values ofintval,floatval,+,-,*,/and%will also be considered safe. (php)took to complete will now be visible in the debug logs. (#2130)
from indefinitely hanging the engine. (#4295)
Changed
Fixed
IDE. They still log, but will no longer be displayed via UX. (saf-2193)
outstanding validators executing at a given time. (#2130)
v1.131.0Compare Source
1.131.0 - 2025-07-30
Fixed
path rather than the entire internal structure representation. This allows for
more succinct log files and no longer introduces mid-entry newlines, which can
break log-parsing tooling. (gh-4315)
Sign incommand (saf-2151)SemgrepErrorexception is raised and causessemgrepto fail. (silent-semgrep-error)v1.130.0Compare Source
1.130.0 - 2025-07-23
Fixed
Also includes changes from the canceled 1.129.0 release
Added
A warning is now printed for each exclude or include pattern found in rules
that is considered ambiguous (
paths.exclude,paths.include).Currently, a pattern that contains a middle slash such as
src/*.cis considered floating or unanchored by our implementation. In order to
be compliant with Gitignore and Semgrepignore,
src/*.cshould be treated as anchored. Since many programmers are unaware of this
subtlety in the Gitignore specification, Semgrep now prints a warning asking
the user to lift the ambiguity. A user will now be asked to
change their pattern
src/*.cinto either/src/*.c(anchored) or**/src/*.c(floating). This clarifies the expected behavior for readersof Semgrep rules and will avoid problems when Semgrep rules adopt
the Gitignore/Semgrepignore behavior. (rule-paths-middle-slash-patterns)
Secrets: Validation for AWS credentials which failed due to possibly transient
reasons is now retried (3 attempts max). (scrt-917)
Fixed
semgrep scanin a docker container without an argumentand no target project was mounted under
/src,instead of a silent exit with code 2, a helpful error message is
now printed before exiting. (docker-mount-error)
paths.exclude,paths.include) now apply tonormalized file paths relative to the project root. This makes rule selection
independent from the current work folder.
Patterns with a leading slash such as
/srcare now anchored insteadof being floating. For example,
exclude: [ "/src" ]will exclude the targetfile
src/main.cbut no longer excludesmisc/src/main.c. (rule-paths-leading-slash-patterns)Unix.Unix_errorwould occasionally crash the experimental language serveron startup. (saf-2133)
get_targetsendpoint.Previously, scanning large repos with the debug flag significantly ballooned
the size of the output log. (saf-2145)
v1.128.0Compare Source
[1.128.0](
Configuration
📅 Schedule: (UTC)
* * * * 0,6)🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate.