Semgrep v1.157.0: Performance & Security Enhancements

Semgrep v1.157.0 brings improved taint tracking, enhanced metavariable-type matching, and a new OCaml parser for npm lock files.

Semgrep v1.157.0, released on 2026-03-31, focuses on performance and security enhancements, particularly for Pro users. This minor update refines static analysis capabilities and addresses several parsing issues.

Key Changes

Features & Enhancements:

Improved Taint Tracking (Pro): Enhanced accuracy for taint tracking through lambda calls and better cross-file tracking for globals (LANG-268, LANG-275).
Advanced Metavariable-Type Matching: $C.getInstance(...) now allows metavariable-type checks on $C to verify its type (LANG-271).
New npm Lock File Parser (Pro): Supply Chain Analysis for npm package lock files now uses a proprietary OCaml-based parser, replacing the older Python version. This functionality is now exclusive to Semgrep Pro users (gh-5658).

Performance:

Optimized Inter-File Taint Analysis (Pro): Reduces redundant recomputation by serializing intermediate results to disk, speeding up analysis (ENGINE-2582).

Fixes & Stability:

Improved Error Reporting: Errors during target file discovery (e.g., permission issues) are now surfaced as warnings instead of being silently ignored (ENGINE-2627).
Parsing Corrections: Addressed issues in Rust parsing (&raw), Kotlin FQNs in metavariable-type, requirements.txt dropping pinned dependencies, and Python parsing with empty strings/quotes (rust-parser-updated, LANG-271, SC-3379, gh-11287).
Rule Path Filtering: Fixed paths.include/paths.exclude filtering when scanning single files, ensuring full project-relative paths are used (gh-11560).
Stability: Prevented segfaults from deeply nested aliengrep matches (engine-2628).
Scala & Golang Improvements (Pro): Better type and call resolution in Scala, and improved Golang module resolution (lang-79, lang-80, code-9225).

For a complete list of changes, refer to the official Semgrep v1.157.0 release notes.

Impact for QA Teams

This update provides QA teams with more accurate static analysis results, particularly for security-focused taint analysis in complex codebases. Improved error reporting during file discovery means fewer silently missed files, enhancing scan reliability. Pro users benefit from faster and more precise supply chain analysis and inter-file taint tracking, leading to more efficient vulnerability detection workflows.

Frequently Asked Questions

What are the main benefits for non-Pro Semgrep users?

Non-Pro users gain enhanced `metavariable-type` matching for class names, improved error reporting during file discovery, and various parsing fixes across Rust, Kotlin, Python, and `requirements.txt` files.

How does this update improve performance?

For Semgrep Pro users, performance is improved by reducing redundant recomputation during inter-file taint analysis, as intermediate results are now serialized to disk (ENGINE-2582).

Is Supply Chain Analysis for npm lock files still available for all users?

No, the Supply Chain Analysis functionality for npm package lock files now uses a new OCaml-based parser and is exclusively available to Semgrep Pro users (gh-5658).

Semgrep v1.157.0: Performance & Security Enhancements

Key Changes #

Impact for QA Teams #

Frequently Asked Questions

Key Changes

Impact for QA Teams