Skip to main content
  • Semgrep Supply Chain
  • Team & Enterprise Tier

Receiving notifications from Semgrep Supply Chain (SSC) scans

Developers can be notified of vulnerabilities in their GitHub or GitLab environment through pull request (PR) or merge request (MR) comments.

Receiving SSC notifications through PR or merge request MR comments

Semgrep Supply Chain PR comment Figure 1. Screenshot of a PR comment from SSC in a GitHub repository.

Semgrep Supply Chain can send pull request (PR) or merge request (MR) comments to notify developers in their GitHub or GitLab environment of third-party reachable vulnerabilities detected by a Semgrep Supply Chain scan. The following information is provided:

Risk
A description of the vulnerability, including the types of attack it is vulnerable to.
Fix
Indicates what versions to upgrade to, if any, that resolves or eliminates the vulnerability.
Reference
A link to additional information about the vulnerability from GitHub Advisory Database and the National Vulnerability Database (NVD), if available.
info

Pull or merge requests with vulnerabilities detected by SSC are not blocked from merging.

Enabling Semgrep Supply Chain to send PRs or MRs

Receiving PR or MR comments for reachable findings, if any, is enabled by default. Comments appear after a Semgrep Supply Chain scan.

Custom Semgrep setups

note

This section provides documentation if PR or MR comments do not appear for custom Semgrep setups, such as self-hosted repositories. You may require additional permissions or an access token to receive PR or MR comments.

To ensure that you have enabled Semgrep App to send PR or MR comments, refer to the following documentation:

GitHub or GitLab planDocument
GitHub Free, Pro, Team, and Enterprise CloudEnabling GitHub pull request comments
GitHub Enterprise ServerIntegrating Semgrep into self-hosted repositories
GitLab SaaSEnabling GitLab merge request comments
GitLab Self-managedIntegrating Semgrep into self-hosted repositories

Prevent or block developers from merging a PR or MR when a reachable vulnerability has been detected

Both GitHub and GitLab provide features to prevent or block a PR or MR from merging based on certain conditions. Refer to the links below to prevent PRs or MRs from merging when a reachable finding is detected:

GitHubRequire conversation resolution before merging
GitLabPrevent merge unless all threads are resolved

Find what you needed in this doc? Join the Semgrep Community Slack group to ask the maintainers and the community if you need help.