Semgrep v1.168.0 Release Overview
TL;DR
- New flag
--x-dependency-pathsfor detailed supply-chain dependency paths in JSON/SARIF output. - Malicious supply chain rules are now explicitly labeled “Malicious” in scan summaries.
- Core regex engine updated to
libpcre2 10.xfor improved performance and security.
Key Changes
This minor update to Semgrep, released on 2026-06-24, focuses on enhancing supply chain security analysis and internal infrastructure. For full details, refer to the official release notes.
Features
A new experimental flag, --x-dependency-paths, has been added to the scan and ci commands. This flag provides the full dependency path(s) for transitive supply-chain findings, enriching --json and --sarif outputs with deeper context for vulnerabilities.
Improvements
Clarity in scan analysis summaries is improved: malicious supply chain rules are now labeled “Malicious” instead of the generic “Basic.” This change makes critical security findings more immediately identifiable.
Infrastructure Updates
Semgrep’s core components, including semgrep-core, Aliengrep (generic mode), and the metavariable-regex and metavariable-comparison runtimes, have migrated from the deprecated libpcre 8.x to the maintained libpcre2 10.x regular expression library. This update ensures better long-term stability, performance, and security without altering existing matching behavior.
Impact for QA Teams
QA teams can now gain deeper insights into supply chain vulnerabilities with the new dependency path flag, improving security testing and reporting. The core engine update ensures more stable and potentially faster scans, indirectly benefiting test cycles. Clearer labeling of malicious rules aids in prioritizing security findings during analysis.
