Semgrep v1.168.0 Release Overview

TL;DR

  • New flag --x-dependency-paths for detailed supply-chain dependency paths in JSON/SARIF output.
  • Malicious supply chain rules are now explicitly labeled “Malicious” in scan summaries.
  • Core regex engine updated to libpcre2 10.x for improved performance and security.

Key Changes

This minor update to Semgrep, released on 2026-06-24, focuses on enhancing supply chain security analysis and internal infrastructure. For full details, refer to the official release notes.

Features

A new experimental flag, --x-dependency-paths, has been added to the scan and ci commands. This flag provides the full dependency path(s) for transitive supply-chain findings, enriching --json and --sarif outputs with deeper context for vulnerabilities.

Improvements

Clarity in scan analysis summaries is improved: malicious supply chain rules are now labeled “Malicious” instead of the generic “Basic.” This change makes critical security findings more immediately identifiable.

Infrastructure Updates

Semgrep’s core components, including semgrep-core, Aliengrep (generic mode), and the metavariable-regex and metavariable-comparison runtimes, have migrated from the deprecated libpcre 8.x to the maintained libpcre2 10.x regular expression library. This update ensures better long-term stability, performance, and security without altering existing matching behavior.

Impact for QA Teams

QA teams can now gain deeper insights into supply chain vulnerabilities with the new dependency path flag, improving security testing and reporting. The core engine update ensures more stable and potentially faster scans, indirectly benefiting test cycles. Clearer labeling of malicious rules aids in prioritizing security findings during analysis.