May 2026 - Semgrep

The following updates were made to Semgrep during the week of May 18, 2026.

🌐 Semgrep AppSec Platform

Auto-scan new projects: Semgrep Managed Scans can now automatically scan newly onboarded projects from a source code manager. Enable the Auto-scan toggle for each source code manager from Settings > Source code managers. See Scan management and configuration.

PR and MR comments: A full scan on the default branch is no longer required before Semgrep posts pull or merge request comments. Comments now appear as soon as a project is connected and a diff-aware scan runs. See the GitHub, GitLab, Bitbucket, and Azure DevOps PR comments guides.
Read-only code access for GitHub apps: You can now grant Read (instead of Read and write) access to the Contents permission on the Semgrep GitHub app if you want code access without granting write permissions. See Grant code access to Semgrep.

Faster CVE coverage: Semgrep now processes new CVE and security advisory information multiple times per day, with a maximum lag of one hour from upstream publication. Semgrep also ingests advisories from OSV in addition to GitHub Security Advisories and Electron release notes. For major incidents, Semgrep’s Security Research team ships advisories ahead of third-party databases. See the Supply Chain overview.

Semgrep Plugin is now Semgrep Guardian. The product previously known as Semgrep Plugin has been renamed to Semgrep Guardian. Functionality is unchanged: Guardian still bundles the Semgrep MCP server, hooks, and skills to scan code generated by AI coding agents in Claude Code, Codex, Cursor, Windsurf, VS Code, and GitHub Copilot. Existing /mcp documentation links redirect to Semgrep Guardian.

VS Code and GitHub Copilot support: The Guardian setup guide now includes dedicated instructions for installing Semgrep Guardian in VS Code (via .vscode/mcp.json or the user MCP config) and for GitHub Copilot across Visual Studio, JetBrains, Xcode, and Eclipse. See Semgrep Guardian.