- Semgrep Supply Chain
- Team & Enterprise Tier
Overview of Semgrep Supply Chain
Detect recently discovered security vulnerabilities in your codebase's open-source dependencies using Semgrep Supply Chain. Leverage Semgrep's code-scanning capabilities to run high-signal rules that determine a vulnerability's reachability. Semgrep Supply Chain evaluates dependencies based on their version and use in your codebase.
Semgrep Supply Chain is available for users that have a Semgrep Supply Chain Team License. Contact email@example.com for more information.
Figure 1. Semgrep Supply Chain overview page.
Semgrep Supply Chain parses lockfiles for a list of dependencies, then scans your codebase using rules written with Semgrep's pattern syntax. Supply Chain rules specify the following:
- The range of versions that contain the dependency's vulnerability.
- A pattern for vulnerable code, such as passing in unsanitized data.
- The severity of the vulnerability.
Semgrep Supply Chain generates a finding when it detects a match. If the dependency's version is within the range and finds the matching code within your codebase, the finding is reachable.
A finding is unreachable if the dependency contains a known vulnerability, but the vulnerable matching code is not used in your codebase.
In Semgrep App, specific findings of a dependency and code match are called usages. Usages are grouped by their vulnerability. Vulnerabilities in Semgrep Supply Chain typically have a CVE number corresponding to the record in the CVE Program.
The following diagram displays the relationship between a Supply Chain rule, the lockfile, and the codebase being scanned:
Figure 2. Relationship between a Supply Chain rule, lockfile, CVE record, and codebase.
Semgrep and Semgrep Supply Chain
The following table displays differences between Semgrep and Semgrep Supply Chain.
|Feature||Semgrep||Semgrep Supply Chain|
|Type of tool||Static application security testing (SAST)||Software composition analysis (SCA)|
|Scan target||First-party code (your codebase or repository)||Open source dependencies|
|Triage workflow||Findings can be categorized as:||Findings can be categorized as:|
|Remediation workflow||Code refactoring||Upgrading or removing the dependency, code refactoring|
|Notification channels||Jira, Slack, Email, Webhooks||Slack and email|
Refer to Supported languages to see all languages supported by Semgrep Supply Chain.
Transitive dependencies and reachability analysis
See SSC glossary > Transitivity for a definition of a transitive dependency.
- Semgrep Supply Chain does not perform reachability analysis for transitive dependencies. This means we do not scan the source code of your dependencies to determine if their dependencies may produce a reachable finding in the code.
- Semgrep Supply Chain supports scanning for transitive or indirect dependencies for all of its supported languages. Findings are collected and displayed in Semgrep App > Supply Chain.
- In most cases, Semgrep Supply Chain generates reachable findings for direct dependencies. However, there are certain dependencies that are vulnerable simply through their inclusion in a codebase. Semgrep Supply Chain generates reachable findings for these types of dependencies even if they are transitive dependencies.
Next steps: Scanning your codebase
To scan your codebase, follow the instructions in Scanning open source dependencies.
- Software supply chain security is hard
- The best free, open-source supply-chain security tool? The lockfile
Find what you needed in this doc? Join the Semgrep Community Slack group to ask the maintainers and the community if you need help.