chore(deps): bump semgrep from 1.151.0 to 1.152.0

[dependabot]

Bumps semgrep from 1.151.0 to 1.152.0.

Release notes

Sourced from semgrep's releases.

Release v1.152.0

1.152.0 - 2026-02-17

### Added

• Hooks (for both Claude Code and Cursor) now pull custom rules from the registry (custom-rules-hooks)

• Turned on DNS rebinding protection for the MCP server (dns-check)

• Environment variables can now be passed to third-party package managers invoked as part of --allow-local-builds dependency resolution via the environment variable SEMGREP_LOCAL_BUILD_ENV, which accepts a JSON object with string keys and string values. (SC-3163)

• Memory management policies

  A memory policy defines how OCaml's garbage collector should be configured for a scan. There are two initial policies: "aggressive", the current behaviour, which trades longer scan times for lower memory use, and "balanced", which finds a middle ground between reclaiming heap memory in short order while limiting how often the garbage collector runs. The policy can be configured via the --x-mem-policy CLI flag for the pro engine; this flag is unused in the OSS engine. (engine-2055)

• Added experimental support for the OpenFGA authorization language. Thanks to Alex Useche (@​hex0punk) for the contribution! (gh-11347)

• Allows case insensitive string comparisons using lower() and upper() like this:

  - metavariable-comparison:
      metavariable: $VALUE
      comparison: upper(str($VALUE)) == "SEMGREP"
  

  (gh-11502)

• Blocking findings that are outputted in the CI output are now labelled as such. (#4394)

### Changed

• pro: There should be fewer FNs when the max number of fields to track per object is reached. (code-9224)
• Remove legacy combined symbol analysis computation and upload in favor of per-subproject symbol analysis (sc-3153)

### Fixed

• pro: Improved accuracy of taint tracking through assignments, this will help reduce FPs in some cases. (code-9220)
• When receiving a 429 or 5xx from the Semgrep app, the CLI will wait for a longer period of time before retrying the request, to spread out requests during periods of app instability. (engine-2550)

Changelog

Sourced from semgrep's changelog.

1.152.0 - 2026-02-17

### Added

• Hooks (for both Claude Code and Cursor) now pull custom rules from the registry (custom-rules-hooks)

• Turned on DNS rebinding protection for the MCP server (dns-check)

• Environment variables can now be passed to third-party package managers invoked as part of --allow-local-builds dependency resolution via the environment variable SEMGREP_LOCAL_BUILD_ENV, which accepts a JSON object with string keys and string values. (SC-3163)

• Memory management policies

  A memory policy defines how OCaml's garbage collector should be configured for a scan. There are two initial policies: "aggressive", the current behaviour, which trades longer scan times for lower memory use, and "balanced", which finds a middle ground between reclaiming heap memory in short order while limiting how often the garbage collector runs. The policy can be configured via the --x-mem-policy CLI flag for the pro engine; this flag is unused in the OSS engine. (engine-2055)

• Added experimental support for the OpenFGA authorization language. Thanks to Alex Useche (@​hex0punk) for the contribution! (gh-11347)

• Allows case insensitive string comparisons using lower() and upper() like this:

  - metavariable-comparison:
      metavariable: $VALUE
      comparison: upper(str($VALUE)) == "SEMGREP"
  

  (gh-11502)

• Blocking findings that are outputted in the CI output are now labelled as such. (#4394)

### Changed

• pro: There should be fewer FNs when the max number of fields to track per object is reached. (code-9224)
• Remove legacy combined symbol analysis computation and upload in favor of per-subproject symbol analysis (sc-3153)

### Fixed

• pro: Improved accuracy of taint tracking through assignments, this will help reduce FPs in some cases. (code-9220)
• When receiving a 429 or 5xx from the Semgrep app, the CLI will wait for a longer period of time before retrying the request, to spread out requests during periods of app instability. (engine-2550)

Commits

• 2b6338b chore: release version 1.152.0
• 80eacd7semgrep/semgrep-proprietary#5637
• 021601a feat(eval): add lower/upper comparison functions (semgrep/semgrep-proprietary...
• 1aa1aedsemgrep/semgrep-proprietary#5632
• bd54c42 feat(lang): Add experimental support for OpenFGA (semgrep/semgrep-proprietary...
• 101900f fix(mcp): check the length of the repos parameter of semgrep_findings (se...
• b032f00 app session: Wait longer before retrying on a 5xx or 429 (semgrep/semgrep-pro...
• c2d8754semgrep/semgrep-proprietary#5545
• e80042dsemgrep/semgrep-proprietary#5620
• e0498b3 chore(mcp): reenable semgrep_findings tool when connected via streamable HT...
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)