- Semgrep Supply Chain
- Team & Enterprise Tier
Overview of Semgrep Supply Chain
Detect recently discovered security vulnerabilities in your codebase's open-source dependencies using Semgrep Supply Chain. Leverage Semgrep's code-scanning capabilities to run high-signal rules that determine a vulnerability's reachability. Semgrep Supply Chain evaluates dependencies based on their version and use in your codebase.
Semgrep Supply Chain is available for users that have a Semgrep Supply Chain Team License. Contact sales@r2c.dev for more information.
Figure 1. Semgrep Supply Chain overview page.
Semgrep Supply Chain parses lockfiles for a list of dependencies, then scans your codebase using rules written with Semgrep's pattern syntax. Supply Chain rules specify the following:
- The range of versions that contain the dependency's vulnerability.
- A pattern for vulnerable code, such as passing in unsanitized data.
- The severity of the vulnerability.
Semgrep Supply Chain generates a finding when it detects a match. If the dependency's version is within the range and finds the matching code within your codebase, the finding is reachable.
A finding is unreachable if the dependency contains a known vulnerability, but the vulnerable matching code is not used in your codebase.
In Semgrep App, specific findings of a dependency and code match are called usages. Usages are grouped by their vulnerability. Vulnerabilities in Semgrep Supply Chain typically have a CVE number corresponding to the record in the CVE Program.
The following diagram displays the relationship between a Supply Chain rule, the lockfile, and the codebase being scanned:
Figure 2. Relationship between a Supply Chain rule, lockfile, CVE record, and codebase.
Semgrep and Semgrep Supply Chain
The following table displays differences between Semgrep and Semgrep Supply Chain.
| Feature | Semgrep | Semgrep Supply Chain |
|---|---|---|
| Type of tool | Static application security testing (SAST) | Software composition analysis (SCA) |
| Scan target | First-party code (your codebase or repository) | Open source dependencies |
| Triage workflow | Findings can be categorized as:
| Findings can be categorized as:
|
| Remediation workflow | Code refactoring | Upgrading or removing the dependency, code refactoring |
| Notification channels | Jira, Slack, Email, Webhooks | Slack and email |
Language support
Refer to Supported languages to see all languages supported by Semgrep Supply Chain.
Transitive dependencies and reachability analysis
See SSC glossary > Transitivity for a definition of a transitive dependency.
- Semgrep Supply Chain does not perform reachability analysis for transitive dependencies. This means we do not scan the source code of your dependencies to determine if their dependencies may produce a reachable finding in the code.
- Semgrep Supply Chain supports scanning for transitive or indirect dependencies for all of its supported languages. Findings are collected and displayed in Semgrep App > Supply Chain.
- In most cases, Semgrep Supply Chain generates reachable findings for direct dependencies. However, there are certain dependencies that are vulnerable simply through their inclusion in a codebase. Semgrep Supply Chain generates reachable findings for these types of dependencies even if they are transitive dependencies.
Next steps: Scanning your codebase
To scan your codebase, follow the instructions in Scanning open source dependencies.
Additional references
- Software supply chain security is hard
- The best free, open-source supply-chain security tool? The lockfile
Find what you needed in this doc? Join the Semgrep Community Slack group to ask the maintainers and the community if you need help.