chore(deps): bump semgrep from 1.151.0 to 1.156.0

[dependabot]

Bumps semgrep from 1.151.0 to 1.156.0.

Release notes

Sourced from semgrep's releases.

Release v1.156.0

1.156.0 - 2026-03-17

### Changed

• The Kotlin tree-sitter parser has been updated to the latest available grammar significantly improving Kotlin support in Semgrep. (kotlin-parser)

### Fixed

• Pro: Experimental interfile tainting for Ruby now disambiguates between variable accesses and zero-argument method calls. (engine-2556)
• Pro: Memoize tsconfig.json parsing to avoid redundant re-parsing across a project hierarchy. (engine-2596)
• Fixed a crash in semgrep ci when run in a git repo with no remote origin set (gh-11342)

Release v1.155.0

1.155.0 - 2026-03-11

### Added

• Added support for (agentic) hooks in Windsurf. (windsurf-hooks)
• scala: Improved support for Scala 3's optional braces. (LANG-218)
• Added PowerShell language support (beta) with parsing and pattern matching (lang-233)

### Changed

• Removed the experimental and undocumented command semgrep install-ci. (osemgrep-install-ci)

• Migrate from publishing a single Linux wheel with the platform tag musllinux_1_0_<arch>.manylinux2014_<arch> to publishing two separate wheels:

  • A wheel with the platform tag musllinux_1_0_
  • A wheel with the platform tag manylinux2014_

  (pypi-linux-tag)

### Fixed

• When performing parallel operations over a small number of input items, the engine no longer spawns more OCaml domains than we have items to process. This assists with resource utilisation. (engine-2588)
• Fixed: Prevent SessionStart hook crash when inject-secure-defaults receives empty stdin (JSONDecodeError). (engine-2592)
• Semgrep secret validation now times out after 30 seconds instead of 15 minutes. Additionally this timeout is configurable via the --secrets-timeout flag. (engine-2593)
• Fixed permission errors during lockfileless Java (Gradle) dependency resolution by invoking gradlew via sh when the executable bit is not set (gh-5747)

Release v1.154.0

1.154.0 - 2026-03-04

### Fixed

• Fix crash on Windows when running semgrep ci with --debug and no blocking findings. The Windows subprocess path incorrectly raised an exception for all pysemgrep exit codes (including 0), which was silently swallowed in normal mode but propagated as a fatal error when --debug was active. (ENGINE-2491)
• Changed default memory policy from "eager" to "balanced". Scan times should noticably improve; however, scans may use 5-10% additional memory. If running in a resource-constrained environment, consider setting the memory policy back

... (truncated)

Changelog

Sourced from semgrep's changelog.

1.156.0 - 2026-03-17

### Changed

• The Kotlin tree-sitter parser has been updated to the latest available grammar significantly improving Kotlin support in Semgrep. (kotlin-parser)

### Fixed

• Pro: Experimental interfile tainting for Ruby now disambiguates between variable accesses and zero-argument method calls. (engine-2556)
• Pro: Memoize tsconfig.json parsing to avoid redundant re-parsing across a project hierarchy. (engine-2596)
• Fixed a crash in semgrep ci when run in a git repo with no remote origin set (gh-11342)

1.155.0 - 2026-03-11

### Added

• Added support for (agentic) hooks in Windsurf. (windsurf-hooks)
• scala: Improved support for Scala 3's optional braces. (LANG-218)
• Added PowerShell language support (beta) with parsing and pattern matching (lang-233)

### Changed

• Removed the experimental and undocumented command semgrep install-ci. (osemgrep-install-ci)

• Migrate from publishing a single Linux wheel with the platform tag musllinux_1_0_<arch>.manylinux2014_<arch> to publishing two separate wheels:

  • A wheel with the platform tag musllinux_1_0_
  • A wheel with the platform tag manylinux2014_

  (pypi-linux-tag)

### Fixed

• When performing parallel operations over a small number of input items, the engine no longer spawns more OCaml domains than we have items to process. This assists with resource utilisation. (engine-2588)
• Fixed: Prevent SessionStart hook crash when inject-secure-defaults receives empty stdin (JSONDecodeError). (engine-2592)
• Semgrep secret validation now times out after 30 seconds instead of 15 minutes. Additionally this timeout is configurable via the --secrets-timeout flag. (engine-2593)
• Fixed permission errors during lockfileless Java (Gradle) dependency resolution by invoking gradlew via sh when the executable bit is not set (gh-5747)

1.154.0 - 2026-03-04

### Fixed

• Fix crash on Windows when running semgrep ci with --debug and no blocking findings. The Windows subprocess path incorrectly raised an exception for all pysemgrep exit codes (including 0), which was silently swallowed in normal mode but propagated as a fatal error when --debug was active. (ENGINE-2491)
• Changed default memory policy from "eager" to "balanced". Scan times should noticably improve; however, scans may use 5-10% additional memory. If running in a resource-constrained environment, consider setting the memory policy back to "aggressive". (engine-2055)

... (truncated)

Commits

• ab58498 chore: release version 1.156.0
• ef050adsemgrep/semgrep-proprietary#5864
• 9047037 fix(tsconfig): memoize references during parsing (semgrep/semgrep-proprietary...
• 05f953csemgrep/semgrep-proprietary#5857
• abbd427 ci: compare-perf: Make small-benchmarks a bit quieter (semgrep/semgrep-propri...
• 7f6ffd0 fix(kotlin): update to the latest tree-sitter-kotlin grammar (semgrep/semgrep...
• c733f00semgrep/semgrep-proprietary#5
• 14d47f5semgrep/semgrep-proprietary#5850
• aef48e3semgrep/semgrep-proprietary#5851
• 6e5c89b Cron - update semgrep-rules and semgrep-rules-pro submodules (semgrep/semgrep...
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)