Semgrep Supply Chain is a high-signal open-source dependency scanner that significantly reduces false positives using reachability analysis. Since the launch almost a year ago, the security community has shown unconditional love for our innovative approach to reducing noise. Semgrep Supply Chain has helped organizations like Thinkific reduce false positives by 85% or more.
Now, we have added support for C# (beta) and PHP (lockfile-only). For C#, users can now scan for reachable vulnerabilities in their dependencies. Semgrep Supply Chain's support for the NuGet package manager, currently consisting of over 370,000 packages, is invaluable to customers involved with C# and the .NET ecosystem, one of the world's most popular software frameworks. With NuGet packages receiving roughly 3 million downloads every week, this added support ensures developers and organizations can confidently integrate and manage dependencies, bolstering security and compliance. The support for PHP for the Composer package manager is with lockfile-only rules.
Most SCA tools flag code as vulnerable if the code is using a vulnerable open source library. Semgrep Supply Chain goes a step further and tags a vulnerability as reachable if the application code uses a vulnerable method within a vulnerable open source library.
Finding reachable open source dependency vulnerabilities using Semgrep Supply Chain
Semgrep application security platform can also find issues specific to an organization’s codebase and surface them in the developer’s workflow using Semgrep Code (SAST) and scan for accidentally committed secrets using our recently launched product Semgrep Secrets.
PS: Semgrep Code and Semgrep Supply Chain are available to try for free.
Semgrep is a fast, open-source, code scanning tool for finding bugs, detecting dependency vulnerabilities, and enforcing code standards.