Semgrep has released v1.163.0, a minor update focusing on performance and security, available since May 15, 2026. This version builds on v1.162.0, delivering key optimizations and language enhancements. For full details, refer to the official changelog.
Key Changes
Performance Improvements:
This release introduces multiple optimizations aimed at significantly reducing scan startup times and overall memory usage. semgrep ci now starts faster by intelligently avoiding duplicate semgrep-core rule validation during CLI rule loading, while still preserving config-style failures for invalid rules. Dependency-aware rules are now validated solely on the core side, further streamlining the startup process. For large rulesets, rule validation now runs in parallel across multiple cores, distributing the workload and accelerating initial checks. Similarly, rule parsing now executes in parallel across shards on multi-core machines, drastically cutting down processing time. Further optimizations include improved rule prefiltering and parsing, along with a critical fix for transitive reachability rule parsing performance by correcting a file suffix issue. These combined efforts also contribute to reduced peak memory usage when scanning repositories with extensive rulesets.
Language Support: PHP target parsing has been updated to fully support grammar changes introduced in PHP versions 8.1 through 8.5. This ensures broader and more accurate static analysis for modern PHP applications, allowing QA teams to scan newer codebases with confidence.
Bug Fixes: Name resolution for fully-qualified names in Java, Kotlin, and Scala has been significantly improved. This enhancement directly translates to fewer false positives and more true positives, providing more precise security and quality findings by correctly identifying code elements. A specific naming resolution bug in Java (relevant for Semgrep Pro users) was also addressed, further enhancing accuracy.
Impact for QA Teams
QA teams will benefit from significantly faster feedback loops due to reduced scan startup times, allowing for quicker integration into CI/CD pipelines and more rapid iteration. The improved accuracy in Java, Kotlin, and Scala, along with expanded PHP support, means more reliable static analysis results. This helps identify critical security and quality issues earlier in the development cycle, reducing remediation costs and improving overall code quality.
FAQ
Q: What is the main focus of Semgrep v1.163.0? A: The primary focus is on significant performance improvements in scan startup and rule processing, alongside enhanced language support for PHP and Java.
Q: How does this update benefit semgrep ci users?
A: semgrep ci users will experience significantly faster startup times due to optimized rule validation, parallel processing of rules, and reduced overhead.
Q: Are there any changes for Java, Kotlin, or Scala projects? A: Yes, name resolution for fully-qualified names is improved, leading to more accurate findings with fewer false positives and more true positives in these languages.
