- Semgrep Supply Chain
- Team & Enterprise Tier
Scanning open source dependencies
Detect recently discovered security vulnerabilities in your codebase's open-source dependencies using Semgrep Supply Chain. Leverage Semgrep's code-scanning capabilities to run high-signal rules that determine a vulnerability's reachability. Semgrep Supply Chain evaluates dependencies based on their version and use in your codebase.
Semgrep Supply Chain is available for users that have a Semgrep Supply Chain Team License. Contact email@example.com for more information.
Figure 1. Semgrep Supply Chain overview page.
Semgrep Supply Chain parses lockfiles for a list of dependencies, then scans your codebase using rules written with Semgrep's pattern syntax. Supply Chain rules specify the following:
- The range of versions that contain the dependency's vulnerability.
- A pattern for vulnerable code, such as passing in unsanitized data.
- The severity of the vulnerability.
Semgrep Supply Chain generates a finding when it detects a match. If the dependency's version is within the range and finds the matching code within your codebase, the finding is reachable.
A finding is unreachable if the dependency contains a known vulnerability, but the vulnerable matching code is not used in your codebase.
Within Semgrep App, specific findings of a dependency and code match are called usages. Usages are grouped by their vulnerability. Vulnerabilities in Semgrep Supply Chain typically have a CVE number corresponding to the record in the CVE Program.
The following diagram displays the relationship between a Supply Chain rule, the lockfile, and the codebase being scanned:
Figure 2. Relationship between a Supply Chain rule, lockfile, CVE record, and codebase.
Semgrep and Semgrep Supply Chain
The following table displays differences between Semgrep and Semgrep Supply Chain.
|Feature||Semgrep||Semgrep Supply Chain|
|Type of tool||Static application security testing (SAST)||Software composition analysis (SCA)|
|Scan target||First-party code (your codebase or repository)||Open source dependencies|
|Triage workflow||Findings can be categorized as:||Findings can be categorized as:|
|Remediation workflow||Code refactoring||Upgrading or removing the dependency, code refactoring|
|Notification channels||Jira, Slack, Email, Webhooks||Slack and email|
Refer to Supported languages to see all languages supported by Semgrep Supply Chain.
Limitations of Semgrep Supply Chain scans
- Semgrep Supply Chain supports scanning for transitive or indirect dependencies for all of its supported languages except Java. Findings are collected and displayed in Semgrep App > Supply Chain.
- Semgrep Supply Chain generates reachable findings only for direct dependencies.
Scanning a repository with Semgrep Supply Chain
Semgrep Supply Chain supports monorepositories (monorepos) by treating each subdirectory as its own repository. Findings are grouped under these repositories based on the lockfile or manifest file present in the subdirectory.
You can run a dependency scan within Semgrep App.
Scanning with Supply Chain rules through Semgrep App
This is the preferred method to enable and run Semgrep Supply Chain.
To enable and run a Supply Chain (dependency) scan in Semgrep App:
- Sign in to your Semgrep App account, and then go to Projects page.
- Click Projects, and then click gear icon of the repository on which to run Supply Chain rules.
- Click SSC toggle. Semgrep Supply Chain rules are included in your next scan, that occurs based on your CI set up, such as schedules and events configuration (push, pull, and merge requests).
- Optional: To start a dependency scan immediately, go to your CI provider's interface and manually begin the Semgrep workflow or job.
The scan finishes and displays findings in the Supply Chain tab for further triage and remediation. See Triaging and remediating dependency findings.
If the scan is triggered by a pull request or merge request (PR or MR) and detects any reachable finding, the PR or MR is blocked from merging.
Events that trigger a Supply Chain dependency scan
Dependency scans can be triggered by the following, depending on your CI set up:
|Event||Scope of scan||Dependency rule set|
|Pull or merge request||diff-aware scan||All dependency rules|
|Push or scheduled event, such as a cron job||full scan||All dependency rules|
For more information on diff-aware and full scans, see Diff-aware scanning.
Blocking a PR or MR
Both reachable and unreachable findings of Semgrep Supply Chain do not block a pull request or merge request.
Updated Nov 22nd, 2022: Old versions (Semgrep v0.122.0 and below) used to block reachable findings.
Ignoring dependency findings through
Triaging and remediating dependency findings
Semgrep Supply Chain enables developers to perform triage and remediation through the Dependencies page. On this page you can perform the following:
- View specific reachable vulnerable lines of code in your codebase. This helps to evaluate the threat.
- View specific lines of code where your dependency is being declared.
- Triage a dependency finding.
- Attach a PR or MR, or Jira ticket to the finding.
- Upgrade the dependency that generated the finding to a safe version. A safe version is any newer version of the dependency that does not contain the vulnerability. This resolves the finding.
For more information, see Triaging and remediating findings.
- Software supply chain security is hard
- The best free, open-source supply-chain security tool? The lockfile
Find what you needed in this doc? Join the Slack group to ask the maintainers and the community if you need help.