Skip to main content

    How to scan multiple or nested lock files

    Semgrep Supply Chain uses lockfiles as part of its reachability analysis to determine the exact version of a dependency that a codebase is using. Semgrep parses lockfiles, such as:

    • go.mod
    • gemfile.lock
    • package-lock.json

    By default, Semgrep parses any lockfile in any directory or subdirectory. Some package managers, such as npm or yarn, have support for Workspaces, which can affect Semgrep's parsing behavior. If you use workspaces, reach out to Semgrep support for assistance in setting up Semgrep Supply Chain.

    See Supported languages > Semgrep Supply Chain for more information.

    Not finding what you need in this doc? Ask questions in our Community Slack group, or see Support for other ways to get help.