How to scan multiple or nested manifest files or lockfiles
Semgrep Supply Chain uses manifest files or lockfiles as part of its reachability analysis to determine the exact version of a dependency that a codebase is using. Semgrep parses manifest files or lockfiles, such as:
go.modgemfile.lockpackage-lock.jsonrequirements.txt
By default, Semgrep parses manifest files or lockfiles in any directory or subdirectory. Some package managers, such as npm or yarn, have support for Workspaces, which can affect Semgrep's parsing behavior. If you use workspaces, reach out to Semgrep support for assistance in setting up Semgrep Supply Chain.
See Supported languages > Semgrep Supply Chain for more information.
Not finding what you need in this doc? Ask questions in our Community Slack group, or see Support for other ways to get help.