LoginSign Up
← Back to all sparks
S

Semgrep

INFRA · APIS
Velocity5.0

Fast, open-source static analysis for finding bugs and security issues.

semgrep.dev

Semgrep grinds forward on language coverage and Pro taint-engine performance

static-analysissasttaint-trackinglanguage-supportperformancedeveloper-tooling
Current state
Semgrep's recent releases are a steady stream of language-parser improvements (Dart typed metavariables, PHP 8.5, Scala 3.4 traits, Kotlin grammar) paired with sustained performance work on the Pro interfile taint engine and rule parsing, including 5x faster JSON rule loading in 1.162.0. Output and infra controls also got attention, like a configurable match-context cap for minified files.
Where it's heading
The direction is breadth (more languages parsed accurately) and depth (faster, more precise cross-file taint analysis in the Pro engine). The recent interfile taint redesign and parallelized taint-config computation point to scaling Pro scans on large codebases as the priority.
Prediction
Expect continued per-language parser upgrades and further Pro taint-engine performance and precision work.

Recent moves

  1. 4d ago

    v1.165.0: cap match context for minified files

    Adds --max-match-context-size to stop minified single-line files from producing enormous output, and replaces a Python schema-validation flag with a more granular --x-rule-validation control.

    View source ↗
  2. 12d ago

    v1.164.0: Dart typed metavariables, cgroup-aware memory

    Brings Dart typed metavariables and function-definition patterns into the language set and makes Pro interfile scan memory limits adapt to the container's cgroup instead of a fixed 5 GiB ceiling.

    View source ↗
  3. 23d ago

    v1.163.0: PHP 8.5 parsing, faster CI startup

    Updates PHP parsing for the 8.1-8.5 grammar and trims semgrep ci startup time by skipping duplicate rule validation, part of the steady language-coverage-plus-performance pattern.

    View source ↗
  4. 1mo ago

    v1.162.0: 5x faster JSON rule parsing, better taint

    Lands a hand-written RFC 8259 JSON parser that makes rule-file parsing roughly 5x faster end-to-end, alongside improved Pro taint tracking through nested functions, advancing the scale-on-large-codebases goal.

    View source ↗
  5. 1mo ago

    v1.161.0: Scala 3.4 trait parameters parsed

    Adds correct parsing of Scala 3.4+ trait parameters and stops HTTP request URLs from logging above debug level, a small language-coverage and hygiene release.

    View source ↗
  6. 1mo ago

    v1.160.0: Scala tree-sitter parser, variadic taint

    Introduces a tree-sitter Scala parser with pfff fallback and improves Pro taint support for variadic functions, plus a fix for parsing rules containing non-BMP Unicode.

    View source ↗