Semgrep v1.162.0: Faster Scans & Enhanced Security

Semgrep v1.162.0 boosts performance with 5x faster JSON rule parsing and strengthens security by redacting credentials in CI logs.

Semgrep v1.162.0, released on 2026-05-07, brings notable performance and security enhancements, crucial for modern QA and development workflows. This minor update focuses on optimizing scan speeds and fortifying credential handling.

Key Changes

Performance & Efficiency: A major highlight is the 5x faster JSON rule parsing. Rule files in JSON format now process significantly quicker (e.g., 134s down to 28s for a 382MB rule pack), thanks to a new hand-written RFC 8259 parser. Additionally, semgrepignore matching performance has improved with added indexes.

Security & Privacy: Several critical fixes enhance security:

semgrep ci now redacts URL-embedded credentials and Authorization header values from git error messages and captured tracebacks, preventing leaks of secrets like CI_JOB_TOKEN.
SCM tokens are no longer transmitted to the Semgrep Platform by semgrep ci.
The semgrep CLI log file (~/.semgrep/semgrep.log) now respects the requested log level, narrowing the surface for credentials on disk.
jsonnet rule imports (import, importstr) now reject paths resolving outside the rule file’s parent directory, and recursion is bound to prevent denial-of-service.

New Features & Improvements:

Semgrep Pro users benefit from improved support for tracking taint through nested functions.
Scala project identification for Supply Chain analysis is more accurate, now identifying projects by their root build.sbt.
The MCP semgrep_findings tool gains a refs parameter for branch filtering and makes autotriage_verdict optional.

Fixes: Resolved parse errors for PHP and Scala during highly-parallel parsing, along with other minor fixes for Scala package declarations and MCP tool behavior.

Impact for QA Teams

QA teams will experience faster static analysis scans, particularly with extensive JSON rule sets, leading to quicker feedback in CI/CD pipelines. The enhanced security features significantly reduce the risk of credential exposure during automated testing, bolstering pipeline integrity. Improved taint tracking provides more precise security vulnerability detection.

Official Source

For full details, refer to the Semgrep v1.162.0 release notes.

Frequently Asked Questions

How does the 5x faster JSON rule parsing affect my workflow?

It significantly reduces the time Semgrep takes to load and process rules, leading to quicker scan completions, especially for projects with extensive custom rule sets.

What security improvements are most relevant for CI/CD?

`semgrep ci` now redacts credentials from logs and error messages and stops transmitting SCM tokens to the Semgrep Platform, greatly reducing the risk of accidental secret exposure in CI environments.

Is there a specific action needed to benefit from these updates?

Update your Semgrep CLI to v1.162.0. Most performance and security enhancements are automatically applied upon update.

Semgrep v1.162.0: Faster Scans & Enhanced Security

Key Changes #

Impact for QA Teams #

Official Source #

Frequently Asked Questions

Key Changes

Impact for QA Teams

Official Source