May 2026 - Semgrep

The following updates were made to Semgrep in May 2026.

🌐 Semgrep AppSec Platform

Added an Auto-scan toggle to Settings > Source code managers so you can automatically scan every newly onboarded project for a given source code manager. See Manage projects.

Semgrep Guardian (previously Semgrep Plugin) has been renamed. The product still bundles the Semgrep MCP server, hooks, and skills for AI coding agents like Claude Code and Cursor. See Semgrep Guardian.
The Not scanning tab on the Projects page now lists archived repositories for GitHub, GitLab, and Bitbucket Data Center. Findings from archived projects continue to appear on the Findings pages. See Manage projects.
You can now grant the Semgrep GitHub app Read access to Contents (instead of Read and write) when you don’t want to give Semgrep write permissions. See SCM code access.

Semgrep now ingests CVE information and security advisories multiple times per day, with a maximum lag of one hour from upstream publication. OSV has been added as a source alongside GitHub Security Advisories and Electron release notes.
For major incidents, Semgrep’s Security Research team now ships its own advisories ahead of third-party databases. KEVs are processed the same way as other vulnerabilities.

Diff-aware scans no longer require a prior full scan to produce PR or MR comments across GitHub, GitLab, Azure DevOps, Bitbucket Cloud, and Bitbucket Data Center.