1.152.0 - 2026-02-17
### Added
-
Hooks (for both Claude Code and Cursor) now pull custom rules from the registry (custom-rules-hooks)
-
Turned on DNS rebinding protection for the MCP server (dns-check)
-
Environment variables can now be passed to third-party package managers invoked as part of
--allow-local-buildsdependency resolution via the environment variableSEMGREP_LOCAL_BUILD_ENV, which accepts a JSON object with string keys and string values. (SC-3163) -
Memory management policies
A memory policy defines how OCaml's garbage collector should be configured for
a scan. There are two initial policies: "aggressive", the current behaviour,
which trades longer scan times for lower memory use, and "balanced", which
finds a middle ground between reclaiming heap memory in short order while
limiting how often the garbage collector runs. The policy can be configured
via the--x-mem-policyCLI flag for the pro engine; this flag is unused in
the OSS engine. (engine-2055) -
Added experimental support for the OpenFGA authorization language. Thanks to Alex Useche (@hex0punk) for the contribution! (gh-11347)
-
Allows case insensitive string comparisons using lower() and upper() like this:
- metavariable-comparison: metavariable: $VALUE comparison: upper(str($VALUE)) == "SEMGREP"(gh-11502)
-
Blocking findings that are outputted in the CI output are now labelled as such. (#4394)
### Changed
- pro: There should be fewer FNs when the max number of fields to track per object
is reached. (code-9224) - Remove legacy combined symbol analysis computation and upload in favor of per-subproject symbol analysis (sc-3153)
### Fixed
- pro: Improved accuracy of taint tracking through assignments, this will help
reduce FPs in some cases. (code-9220) - When receiving a 429 or 5xx from the Semgrep app, the CLI will wait for a
longer period of time before retrying the request, to spread out requests
during periods of app instability. (engine-2550)