What is `--max-match-context-size` used for?

It limits the source code context shown for each match, preventing large outputs from minified files.

Why was `--x-no-python-schema-validation` replaced?

It was replaced by `--x-rule-validation` to offer more granular control over rule validation options (full, core-only, none).

How does v1.165.0 improve secret scanning?

It reduces intermittent `validation_error` results for HTTP secret validators by retrying transient network failures, similar to AWS validators.

Semgrep v1.165.0: Output Context, Rule Validation, Secret Scans

Semgrep v1.165.0 introduces match context size limits, refines rule validation flags, and improves secret scanning reliability. Essential for QA engineers.

Key Changes

Semgrep v1.165.0, released on 2026-06-03, introduces several updates focusing on output control, rule validation, and scan reliability, categorized under Performance and Security.

A significant addition is the --max-match-context-size option. This allows users to limit the number of characters of source code included as context for each match in the output. This feature is particularly useful for preventing excessively large outputs from matches found in minified files, such as minified JavaScript, where an entire file might exist on a single line. By default, the value is 0, meaning unlimited context.

The --x-no-python-schema-validation flag has been replaced by the more granular --x-rule-validation flag. This new flag offers full, core-only, or none options, providing finer control over rule validation behavior. The default full option preserves existing Python rule validation. The old flag is now deprecated but still accepted as a no-op with a warning, slated for removal in a future release. Additionally, the Python grammar has been updated (LANG-201).

Fixes in this version include adding bit shift operations to metavar comparison, enhancing its accuracy beyond standard arithmetic and logical bit operations (ENGINE-2448). Furthermore, secret scanning reliability has been improved. Intermittent validation_error results on HTTP secret validators (e.g., Facebook, Slack, Stripe, Google, Cloudflare) are now reduced by implementing retry logic for transient network failures, mirroring the retry behavior already present for AWS validators (SCRT-965).

For full details, refer to the official changelog.

Impact for QA Teams

QA engineers tracking SAST tool updates will find direct value in these changes. The new --max-match-context-size option helps manage the verbosity of scan reports, making them more readable and efficient to review, especially in projects utilizing minified assets. Improved secret scanning reliability directly translates to more accurate security assessments, as fewer transient network issues will lead to missed or delayed findings for critical secrets. The updated rule validation options provide greater flexibility for customizing and debugging Semgrep rules, allowing QA teams to fine-tune their static analysis processes.

Semgrep v1.165.0: Output Context, Rule Validation, Secret Scans

Key Changes #

Impact for QA Teams #

Frequently Asked Questions

Key Changes

Impact for QA Teams