Bump semgrep from 1.162.0 to 1.163.0

[dependabot]

Bumps semgrep from 1.162.0 to 1.163.0.

Changelog

Sourced from semgrep's changelog.

1.163.0 - 2026-05-13

### Added

• Updated PHP target parsing to support grammar changes from PHP 8.1-8.5 (LANG-380)

### Changed

• Improved semgrep ci startup time with App-provided rules by avoiding duplicate semgrep-core rule validation during CLI rule loading while preserving config-style failures for invalid rules. (ci-rule-validation-startup)
• Semgrep now validates dependency aware rules only on the core side, improving startup time (validate-skip-dep-aware)
• Rule validation now runs in parallel across cores on large rulesets, reducing scan startup time. (gh-6279)
• Rule parsing now runs in parallel across shards on multi-core machines, reducing scan startup time on large rulesets. (gh-6281)

### Fixed

• Improved name resolution for fully-qualified names in Java, Kotlin, and Scala. This could lead to fewer false positives and more true positives when the code under analysis uses fully-qualified names instead of imports. (java-qualified)
• Optimised rule prefiltering and parsing to improve engine startup time. (rule-parse-cache)
• Reduced peak memory usage when scanning repos with large rulesets. (rules-json-compact)
• Fixed transitive reachability rule parsing performance: the temporary rule file written for each transitive-reachability RPC call is JSON content (json.dumps([rule.raw])) but was being created with a .yaml suffix. OCaml's Parse_rule.parse_file dispatches purely on file extension, so this routed every TR rule through Yaml_to_generic.parse_yaml_file (the slow YAML path) instead of Fast_json.parse_program (the new hand-written RFC 8259 parser). Switching the suffix to .json lines the suffix up with the actual content and lets every TR rule parse take the fast path. (tr-json-suffix)
• Pro: Fixed a naming resolution bug in Java. (LANG-274)

Commits

• edd208b chore: release version 1.163.0
• db2be62semgrep/semgrep-proprietary#6316
• c942ce5 fix: move Java synthetic getter generation to AST layer (LANG-274) (semgrep/s...
• 832bf21 infra(ci): bump anthropics/claude-code-action to v1.0.119 (semgrep/semgrep-pr...
• de18b7e chore: update CODEOWNERS for code-pa -> languages (semgrep/semgrep-proprietar...
• e4d1596 fix(interfaces): add back semgrep-interfaces.opam file (semgrep/semgrep-pro...
• 5f78fd4 fix(mcp): stop sending all rules as part of metrics (semgrep/semgrep-propriet...
• 384de6csemgrep/semgrep-proprietary#6266
• 6050606 perf(parsing): cache parsed xpatterns across rules (semgrep/semgrep-proprieta...
• 376ef4c SharedMemo: add ?should_cache predicate to memo entry points (semgrep/semgrep...
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)