How to scan multiple or nested lock files
Semgrep Supply Chain uses lockfiles as part of its reachability analysis to determine the exact version of a dependency that a codebase is using. Semgrep parses lockfiles, such as:
go.modgemfile.lockpackage-lock.json
By default, Semgrep parses any lockfile in any directory or subdirectory. Some package managers, such as npm or yarn, have support for Workspaces, which can affect Semgrep's parsing behavior. If you use workspaces, reach out to Semgrep support for assistance in setting up Semgrep Supply Chain.
See Supported languages > Semgrep Supply Chain for more information.