Merge branch 'main' into armchairlinguist/triage-by-comment-support

Author: khorne3

docs/deployment/deployment-checklist.md

@@ -318,7 +318,7 @@ Semgrep requires the following permissions (scopes) to enable the authentication
 
 The [Semgrep Network Broker](/docs/semgrep-ci/network-broker) facilities secure access with Semgrep, and its use can replace the allowlisting of the IP addresses required for ingress. The Network Broker, however, only facilitates requests from Semgrep to your network and *doesn't* assist with requests originating from your network, including those from your network to Semgrep.
 
-In other words, the only address you would have to allow inbound is `wireguard.semgrep.dev` on UDP port `51820`, but depending on how restrictive your network is, you may need to modify your allowlist to include the egress IP addresses provided in [IP addresses](#ip-addresses).
+In other words, the only address you would have to allow inbound is `wireguard.semgrep.dev` on UDP port `51820`, or your tenant's equivalent. Depending on how restrictive your network is, you may also need to modify your allowlist to include the egress IP addresses provided in [IP addresses](#ip-addresses).
 
 #### Features that require inbound network connectivity
 

docs/deployment/manage-projects.md

@@ -8,6 +8,8 @@ tags:
  - Semgrep AppSec Platform
 ---
 
+import DeleteAProject from "/src/components/procedure/_delete-a-project.md"
+
 # Manage projects
 
 View, sort, and tag your projects through the **Projects** page. Refer to this page to manage and troubleshoot thousands of repositories by identifying scan issues or scans with a high number of findings.
@@ -91,3 +93,9 @@ See the following pages for more information:
 - For Semgrep Managed Scans users: [configure your scans](/deployment/managed-scanning/overview).
 - [Set a primary branch](/deployment/primary-branch).
 - [Set tags](/semgrep-appsec-platform/tags).
+
+## Delete a project
+
+Deleting a project removes all of its findings, metadata, and other records from Semgrep AppSec Platform.
+
+<DeleteAProject />

docs/index.md

@@ -128,14 +128,16 @@ See the [Supported languages](/supported-languages#language-maturity-summary) do
 </div>
 -->
 
-<h3>November 2025 release notes summary</h3>
+<h3>December 2025 release notes summary</h3>
 <!-- 5-7 bullets across the product suite -->
 
-- **Cortex** and **Sysdig** integrations are now generally available. Semgrep now uses deployment status and, for Cortex, internet-exposure data from these CNAPP providers to better prioritize findings.
-- Malicious dependency detection is now generally available. Semgrep detects malicious packages, including malware, typosquatting, and credential-stealing dependencies, using over 80,000 rules.
-- Assistant now automatically analyzes **all new Critical and High-severity findings** with **Medium or High confidence** in full scans, removing the previous 10-issue limit.
-- The **Settings > General** tab now displays all Semgrep product settings on a single page.
+- Added a new **Priority** tab on **Findings** page to display high-priority findings. Each product has default priority categories, and Semgrep admins can customize the **Priority** tab to control which findings appear. Admins can save **Priority** tab filters for all users.
+- Added a new **Provisionally ignored** finding status.
+- Semgrep Secrets findings are now assigned a severity of **Critical**. This applies to Secrets findings from scans performed after November 2025. Any existing findings from those rules will be updated to **Critical** after the project's next full scan.
+- Pull request comments for findings generated using Semgrep-authored rules now include Assistant-generated explanations to help developers understand the findings. The summary message can be expanded to show additional details.
+- Added support for Cursor post-generation hooks, enabling Semgrep to integrate with Cursor workflows after code generation.
+- The **Findings** page now has improved navigation and more intuitive links. The code path now opens the finding's **Details** page, and an in-product tour introduces the new layout.
 
 [See the latest release notes <i class="fa-solid fa-arrow-right"></i>](/release-notes)
 
-<div style={{textAlign: 'right'}}>[<i class="fa-solid fa-rss"></i> Subscribe to RSS feed ](https://semgrep.dev/docs/release-notes/rss.xml)</div>
+<div style={{textAlign: 'right'}}>[<i class="fa-solid fa-rss"></i> Subscribe to RSS feed ](https://semgrep.dev/docs/release-notes/rss.xml)</div> 

docs/mcp.md

@@ -51,7 +51,7 @@ This article includes instructions for setting up the MCP server with Cursor and
     semgrep --version
     ```
 
-1. Log in to Semgrep and install Semgrep Pro
+1. Log in to Semgrep and install Semgrep Pro:
 
     ```
     semgrep login && semgrep install-semgrep-pro
@@ -96,21 +96,27 @@ This article includes instructions for setting up the MCP server with Cursor and
     ```bash
     semgrep --version
     ```
+3.  Start a new Claude Code instance in the terminal:
+    ```bash
+    claude
+    ```
 
-3. Sign in to your Semgrep account. Running this command launches a browser window, but you can also use the link that's returned in the CLI to proceed:
+4.  Add the Semgrep marketplace to Claude:
     ```bash
-    semgrep login
+    /plugin marketplace add semgrep/mcp-marketplace
     ```
-    In the **Semgrep CLI login**, click **Activate** to proceed.
 
-4. Return to the CLI, and install the Semgrep Pro engine:
+5.  Install the Semgrep plugin:
     ```bash
-    semgrep install-semgrep-pro
+    /plugin install semgrep-plugin@semgrep
     ```
 
-5. Add the Semgrep MCP Server to Claude:
+6.  Set up the Semgrep plugin:
     ```bash
-    claude mcp add --scope user semgrep semgrep mcp
+    /semgrep-plugin:setup_semgrep_plugin
+
+    # if the preceding command doesn't work, try:
+    /plugin enable semgrep-plugin@semgrep
     ```
 
 </TabItem>

docs/semgrep-appsec-platform/jira.md

@@ -81,7 +81,8 @@ The Jira integration automatically detects other Jira projects in your subdomain
 - Those projects have the same **Issue type** as the default project. [When you triage a finding](#code), you can choose which project to create the tickets in.
 
 :::caution Same name, different ID
-Issue types may have the same name, but a different Issue type ID. When creating tickets, only company-managed Jira projects with the same issue type ID as the default project selected in the integration will appear. If you can't select other Jira projects when creating tickets, check that the Issue type ID is the same across Jira projects. See the [<i class="fas fa-external-link fa-xs"></i> How to identify the Jira Issue ID in Cloud](https://support.atlassian.com/jira/kb/how-to-identify-the-jira-issue-id-in-cloud/) for details.
+Issue types may have the same name but different Issue type IDs. When creating tickets, only company-managed Jira projects whose issue type ID matches the default project selected in the integration will appear in the list of available projects.
+If you don't see other Jira projects when creating tickets, check that the Issue type ID is the same across Jira projects. See the [<i class="fas fa-external-link fa-xs"></i>Finding the Issue Type ID in Jira Cloud](https://support.atlassian.com/jira/kb/finding-the-issue-type-id-in-jira-cloud/) for details.
 :::
 
 ### Create mappings

docs/semgrep-assistant/overview.md

@@ -30,20 +30,35 @@ Semgrep Assistant:
 - Requires the Semgrep AppSec Platform for its use
 - Auto-analyzes many, but not all, findings during scans 
   - For full scans, all *new* issues that have **Critical** or **High** severity AND **High** or **Medium** confidence are auto-analyzed 
-  - For diff-aware scans (pull pequest or merge request scans), up to 10 new issues are auto-analyzed per scan
+  - For diff-aware scans (pull request or merge request scans), up to 10 new issues are auto-analyzed per scan
 
 ## Features
 
+
+### Explanation
+
+Semgrep Assistant explains why a finding is a true positive by connecting the rule’s message to the code that triggered it. It highlights the relevant lines of code along with the surrounding context and describes how the rule applies in this specific case. For security rules, Assistant also connects the finding back to the threat model, showing the potential risk and why the code behavior matters.
+
+The explanation helps you understand not just *which* rule triggered a finding, but *why* the code is considered problematic.
+
+On the finding’s **Details** page:
+
+* Semgrep Assistant’s explanation appears in the **Finding description** tab.
+* The rule that triggered the finding is described in the **Rule description** tab.
+* The exact lines of code that caused the finding are displayed in the **Your code** tab. Click a line to highlight the relevant code in context.
+
+For true positive findings, the same Assistant-generated explanations are also included in pull request or merge request comments. A brief summary appears in the default view. Expand **More details about this** to view the full Assistant-generated explanation.
+
+Note that Assistant-generated explanations are **not** available for custom rules or community rules.
+
 ### Remediation
 
 Semgrep Assistant can provide remediation advice and autofixes, or suggested fixes, for Semgrep Code findings.
 
 #### Guidance
 
-With Assistant enabled, PR or MR comments from Semgrep include step-by-step remediation instructions for the finding identified by Semgrep Code.
+With Assistant enabled, pull request or merge request comments from Semgrep include step-by-step remediation instructions for the finding identified by Semgrep Code.
 
-![PR comments with remediation advice](/img/assistant-guidance.png#md-width)
-_**Figure.** PR comment displaying the rule message followed by a comment that contains Assistant-generated remediation guidance._
 
 Semgrep also displays remediation information on Semgrep AppSec Platform's **Findings page** under **Your code & fix** in the [finding's details](/semgrep-code/findings#view-details-about-a-specific-finding) page.
 

docs/semgrep-supply-chain/license-compliance.md

@@ -53,6 +53,17 @@ To change the policies of packages based on the license:
 1. Click the permission (**Allow**, **Comment**, or **Block**) you want to set the license to.
 2. **Optional**: Block entire categories of licenses by clicking on the **Set all to** drop-down box next to the license category.
 
+## License information
+
+License information is often stored in the package's repository alongside the source code. You can generally find this information in:
+
+- A license file, such as `LICENSE` or `LICENSE.txt`
+- The manifest file, such as the `pyproject.toml` or `package.json`, which typically specifies a `license` field
+
+Semgrep uses [deps.dev](https://deps.dev/) as the primary source for license data, which is then displayed in Semgrep AppSec Platform.
+
+[deps.dev](https://deps.dev/) aggregates license metadata from package registry APIs, such as PyPI and npm. This metadata is provided by package maintainers through their manifest files and may be missing, incomplete, or inaccurate. If the license data displayed in Semgrep AppSec Platform for a particular package is missing or doesn't show the expected value, the data provided by the package maintainer to populate the package registry API is likely incomplete or incorrect.
+
 ## License categories
 
 Semgrep Supply Chain can identify the following licenses and license categories.

docs/semgrep-supply-chain/triage-remediation.md

@@ -106,17 +106,6 @@ The following chart illustrates the steps Semgrep performs, from scanning to ana
 
 <ViewDetailsSsc />
 
-<dl>
-<dt>A - Upgrade badge</dt>
-<dd>Indicates if an upgrade is safe or may break your codebase.</dd>
-<dt>B - The line of code (LOC) of the finding</dt>
-<dd>This shows the LOC that caused the finding; this does <strong>not</strong> show the LOC where the breaking changes occur.</dd>
-<dt>C - Link to change list drawer</dt>
-<dd>Click this link to display the LOC where a breaking change may occur.</dd>
-<dt>D - Open fix PR button</dt>
-<dd>Click this button to open a PR with the code to upgrade the dependency to a safe version, if any.</dd>
-</dl>
-
 ### Create a pull request with fixes
 
 1. Navigate to the **Details** page of the finding for which you want to make a pull request.

netlify.toml

@@ -13,7 +13,13 @@
 [context.branch-deploy]
   # Netlify automatically sets: CONTEXT, DEPLOY_PRIME_URL, BRANCH
 
+[[redirects]]
+from = "/"
+to = "/docs"
+status = 302
+
 [[redirects]]
 from = "/*"
 to = "/docs/404.html"
 status = 404
+