Skip to main content
  • Semgrep Supply Chain
  • Team & Enterprise Tier

Scanning open source dependencies

Detect recently discovered security vulnerabilities in your codebase's open-source dependencies using Semgrep Supply Chain. Leverage Semgrep's code-scanning capabilities to run high-signal rules that determine a vulnerability's reachability. Semgrep Supply Chain evaluates dependencies based on their version and use in your codebase.

note

Semgrep Supply Chain is available for users that have a Semgrep Supply Chain Team License. Contact sales@r2c.dev for more information.

Semgrep Supply chain overview page Figure 1. Semgrep Supply Chain overview page.

Semgrep Supply Chain parses lockfiles for a list of dependencies, then scans your codebase using rules written with Semgrep's pattern syntax. Supply Chain rules specify the following:

  • The range of versions that contain the dependency's vulnerability.
  • A pattern for vulnerable code, such as passing in unsanitized data.
  • The severity of the vulnerability.

Semgrep Supply Chain generates a finding when it detects a match. If the dependency's version is within the range and finds the matching code within your codebase, the finding is reachable.

A finding is unreachable if the dependency contains a known vulnerability, but the vulnerable matching code is not used in your codebase.

Within Semgrep App, specific findings of a dependency and code match are called usages. Usages are grouped by their vulnerability. Vulnerabilities in Semgrep Supply Chain typically have a CVE number corresponding to the record in the CVE Program.

The following diagram displays the relationship between a Supply Chain rule, the lockfile, and the codebase being scanned:

Relationship between a Supply Chain rule, lockfile, CVE record, and codebase Figure 2. Relationship between a Supply Chain rule, lockfile, CVE record, and codebase.

Semgrep and Semgrep Supply Chainโ€‹

The following table displays differences between Semgrep and Semgrep Supply Chain.

FeatureSemgrepSemgrep Supply Chain
Type of toolStatic application security testing (SAST)Software composition analysis (SCA)
Scan targetFirst-party code (your codebase or repository)Open source dependencies
Triage workflowFindings can be categorized as:
  • Ignored (to triage false positives)
  • Closed (resolved) by refactoring code
  • Removed
Findings can be categorized as:
  • New
  • In progress
  • Fixed
  • Ignored
Remediation workflowCode refactoringUpgrading or removing the dependency, code refactoring
Notification channelsJira, Slack, Email, WebhooksSlack and email

Language supportโ€‹

Refer to Supported languages to see all languages supported by Semgrep Supply Chain.

Limitations of Semgrep Supply Chain scansโ€‹

  • Semgrep Supply Chain supports scanning for transitive or indirect dependencies for all of its supported languages except Java. Findings are collected and displayed in Semgrep App > Supply Chain.
  • Semgrep Supply Chain detects transitivity only for Python and JavaScript languages.
  • Semgrep Supply Chain generates reachable findings only for direct dependencies.

Scanning a repository with Semgrep Supply Chainโ€‹

note

Semgrep Supply Chain supports monorepositories (monorepos) by treating each subdirectory as its own repository. Findings are grouped under these repositories based on the lockfile or manifest file present in the subdirectory.

You can run a dependency scan within Semgrep App.

Scanning with Supply Chain rules through Semgrep Appโ€‹

tip

This is the preferred method to enable and run Semgrep Supply Chain.

Prerequisites

To run Semgrep Supply Chain, you need the following:

To enable and run a Supply Chain (dependency) scan in Semgrep App:

  1. Sign in to your Semgrep App account, and then go to Projects page.
  2. Click Projects, and then click gear icon of the repository on which to run Supply Chain rules.
  3. Click SSC toggle. Semgrep Supply Chain rules are included in your next scan, that occurs based on your CI set up, such as schedules and events configuration (push, pull, and merge requests).
  4. Optional: To start a dependency scan immediately, go to your CI provider's interface and manually begin the Semgrep workflow or job.

The scan finishes and displays findings in the Supply Chain tab for further triage and remediation. See Triaging and remediating dependency findings.

note

If the scan is triggered by a pull request or merge request (PR or MR) and detects any reachable finding, the PR or MR is blocked from merging.

Events that trigger a Supply Chain dependency scanโ€‹

Dependency scans can be triggered by the following, depending on your CI set up:

EventScope of scanDependency rule set
Pull or merge requestdiff-aware scanAll dependency rules
Push or scheduled event, such as a cron jobfull scanAll dependency rules

For more information on diff-aware and full scans, see Diff-aware scanning.

Blocking a PR or MRโ€‹

Both reachable and unreachable findings of Semgrep Supply Chain do not block a pull request or merge request.

Updated Nov 22nd, 2022: Old versions (Semgrep v0.122.0 and below) used to block reachable findings.

Ignoring dependency findings through semgrepignoreโ€‹

See Ignoring dependency findings.

Triaging and remediating dependency findingsโ€‹

Semgrep Supply Chain enables developers to perform triage and remediation through the Dependencies page. On this page you can perform the following:

  • View specific reachable vulnerable lines of code in your codebase. This helps to evaluate the threat.
  • View specific lines of code where your dependency is being declared.
  • Triage a dependency finding.
  • Attach a PR or MR, or Jira ticket to the finding.
  • Upgrade the dependency that generated the finding to a safe version. A safe version is any newer version of the dependency that does not contain the vulnerability. This resolves the finding.

For more information, see Triaging and remediating findings.

Additional referencesโ€‹


Find what you needed in this doc? Join the Slack group to ask the maintainers and the community if you need help.