Bump semgrep from 1.161.0 to 1.162.0

[dependabot]

Bumps semgrep from 1.161.0 to 1.162.0.

Release notes

Sourced from semgrep's releases.

Release v1.162.0

1.162.0 - 2026-05-07

### Added

• pro: Improved support for tracking taint through nested functions. (LANG-95)
• Added indexes to file targeting to improve performance of semgrepignore matching. (gh-27830)

### Changed

• Faster JSON rule parsing: rule files in JSON format now parse roughly 5x faster end-to-end (measured ~134s → ~28s on a 382MB rule pack) by going through a new hand-written RFC 8259 parser instead of the previous JS-parser-based chain. (ENGINE-2725)
• Scala projects are now identified for Supply Chain only by their root build.sbt, rather than treating each build.sbt as a different subproject. (SC-3293)
• MCP semgrep_findings tool: added a refs parameter to filter findings by branch (defaults to the primary branch when not specified), and made autotriage_verdict optional so that findings without an AI verdict can also be returned. (engine-2723)

### Fixed

• jsonnet: import and importstr now reject paths that resolve outside the rule file's parent directory. (ENGINE-2727)
• semgrep ci: redact URL-embedded credentials and Authorization header values from git error messages and from the captured tracebacks sent to the fail-open telemetry endpoint, preventing leaks of secrets like CI_JOB_TOKEN from a failed git fetch in GitLab CI. Also closes ENGINE-2731 (raw, unsanitized tracebacks in fail-open telemetry). (ENGINE-2728)
• semgrep ci no longer transmits SCM tokens to the Semgrep Platform. (ENGINE-2729)
• semgrep CLI: the on-disk log file (~/.semgrep/semgrep.log or $SEMGREP_LOG_FILE) now respects the requested log level instead of always being written at DEBUG. This narrows the surface for credentials to land on disk via CI runner filesystems or job artifacts; pass --debug to restore the previous behavior. (ENGINE-2730)
• jsonnet rules: bound recursion in both rule loading and evaluation so a malicious rule can no longer hang semgrep via mutually-recursive imports or runtime function calls that recurse forever. (ENGINE-2727-dos)
• Scala: Merging consecutive top-level package declarations into a single package path. (LANG-374)
• Fixed PHP parse errors during highly-parallel parsing. (gh-6197)
• Fixed Scala parse errors during highly-parallel parsing. (gh-6198)
• Surface a clearer error from the MCP scan tool when metrics is off and auto config is specified (gh-11649)
• Fixed unknown option error when spawning the MCP daemon (gh-11660)

Changelog

Sourced from semgrep's changelog.

1.162.0 - 2026-05-07

### Added

• pro: Improved support for tracking taint through nested functions. (LANG-95)
• Added indexes to file targeting to improve performance of semgrepignore matching. (gh-27830)

### Changed

• Faster JSON rule parsing: rule files in JSON format now parse roughly 5x faster end-to-end (measured ~134s → ~28s on a 382MB rule pack) by going through a new hand-written RFC 8259 parser instead of the previous JS-parser-based chain. (ENGINE-2725)
• Scala projects are now identified for Supply Chain only by their root build.sbt, rather than treating each build.sbt as a different subproject. (SC-3293)
• MCP semgrep_findings tool: added a refs parameter to filter findings by branch (defaults to the primary branch when not specified), and made autotriage_verdict optional so that findings without an AI verdict can also be returned. (engine-2723)

### Fixed

• jsonnet: import and importstr now reject paths that resolve outside the rule file's parent directory. (ENGINE-2727)
• semgrep ci: redact URL-embedded credentials and Authorization header values from git error messages and from the captured tracebacks sent to the fail-open telemetry endpoint, preventing leaks of secrets like CI_JOB_TOKEN from a failed git fetch in GitLab CI. Also closes ENGINE-2731 (raw, unsanitized tracebacks in fail-open telemetry). (ENGINE-2728)
• semgrep ci no longer transmits SCM tokens to the Semgrep Platform. (ENGINE-2729)
• semgrep CLI: the on-disk log file (~/.semgrep/semgrep.log or $SEMGREP_LOG_FILE) now respects the requested log level instead of always being written at DEBUG. This narrows the surface for credentials to land on disk via CI runner filesystems or job artifacts; pass --debug to restore the previous behavior. (ENGINE-2730)
• jsonnet rules: bound recursion in both rule loading and evaluation so a malicious rule can no longer hang semgrep via mutually-recursive imports or runtime function calls that recurse forever. (ENGINE-2727-dos)
• Scala: Merging consecutive top-level package declarations into a single package path. (LANG-374)
• Fixed PHP parse errors during highly-parallel parsing. (gh-6197)
• Fixed Scala parse errors during highly-parallel parsing. (gh-6198)
• Surface a clearer error from the MCP scan tool when metrics is off and auto config is specified (gh-11649)
• Fixed unknown option error when spawning the MCP daemon (gh-11660)

Commits

• f353aa4 chore: release version 1.162.0
• 46aa0f4semgrep/semgrep-proprietary#6254
• db71a66 logging: do not log debug lines to disk without --debug (semgrep/semgrep-prop...
• f6a11d7 Revert "feat(logging): always log with debug level to a file" unit test (semg...
• a77b88d Revert "logging: do not log debug lines to disk without --debug" (semgrep/sem...
• b78e3b3semgrep/semgrep-proprietary#6218
• 8506fd7 fix(mcp): allow semgrep_findings to query other branches and unrated findings...
• ffd9b97 fix: throw an MCP error when metrics are off and auto config is used (semgrep...
• 33f6e6dsemgrep/semgrep-proprietary#6241
• 89d279esemgrep/semgrep-proprietary#6217
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)