View and search for dependencies
At least one project (repository) that scans for dependencies through Semgrep Supply Chain. See Scan third-party dependencies.
Semgrep Supply Chain's dependency search feature allows you to view and query for any dependency in your project at any time. This feature detects all transitive and direct dependencies across all of your projects in Semgrep AppSec Platform. Dependency search lists all the versions of a dependency, as well as the projects that use the dependency.
For newly discovered vulnerabilities, which may not yet have a formal CVE or Supply Chain rule, you can use dependency search to see if you use the vulnerable dependency across all your repositories. You can also use dependency search to see all the versions of a dependency, which can be useful for standardization purposes.
Figure. Default dependency search page.
Enable and use dependency search
To search your dependencies:
- Sign in to Semgrep AppSec Platform.
- Go to Settings > Deployment and navigate to the Supply Chain (SCA) section.
Figure. The Semgrep Supply Chain Settings tab. - Click Dependency search if it's not already enabled.
- Navigate to Supply Chain > Dependencies.
Figure. The Semgrep Supply Chain Dependencies tab.
At this point, Semgrep displays the lockfiles it has parsed and the dependencies included in each of the parsed lockfiles.
View additional lockfiles
By default, Semgrep only displays dependencies listed in a given project's first 10 lockfiles. To load information from additional lockfiles:
- Sign in to Semgrep AppSec Platform.
- Navigate to Supply Chain > Dependencies, and scroll to the bottom of the page.
- Click Fetch more lockfiles.
Search for dependencies
To search for dependencies:
- Sign in to Semgrep AppSec Platform.
- Navigate to Supply Chain > Dependencies.
- Using the Dependency search bar, type the name of the dependency you are searching for.
- Optional: Apply filters as necessary for your search.
Search for ranges of supported versions with the > or < operators following the @ operator. For example, body-parser@<1.18.0 finds all versions of body-parser greater than 1.18.0.
Search filters
Dependency search provides the following filters, which correspond to the data points displayed by Semgrep about each dependency:
| Filter | Description |
|---|---|
| Dependency | The name and version of the dependency. |
| Projects | The projects where the dependency can be found. |
| Transitivity | The relationship of the dependency to your codebase. |
| License Policy | The License Policy you set. Determines whether a dependency can be used based on its license. |
| License | The dependency's license type. |
| Ecosystem | The language of the dependency. |
Figure. Dependency search page with sample search query.
Troubleshooting: no dependencies appear on the Dependencies page
If you don't see any results on the Dependencies page, ensure that:
- Semgrep Supply Chain can parse your lockfile. Refer to Supported languages for a list of supported languages and lockfiles.
- You've scanned the repository at least once. If you're having trouble seeing dependencies after a scan, see Why aren't Supply Chain findings showing? for additional troubleshooting tips.
- Your filters and search syntax are correct.
- The scan you're searching isn't a diff-aware scan. Only dependencies detected during full scans are shown on the Dependencies page.
Not finding what you need in this doc? Ask questions in our Community Slack group, or see Support for other ways to get help.