Skip to main content
  • Semgrep Supply Chain
  • Team & Enterprise Tier

Searching through your dependencies

Semgrep Supply Chain's dependency search feature allows you to query for any dependency in your codebase at any time. This feature detects all transitive and direct dependencies across all of your repositories in Semgrep Cloud Platform (SCP). Dependency search lists all the versions of a dependency as well as the repositories that use the dependency.

For newly discovered vulnerabilities, which may not yet have a formal CVE or Supply Chain rule, you can use dependency search to discover if you use the vulnerable dependency across all your repositories. You can also use dependency search to see all the versions of a dependency, which can be useful for standardization purposes.

Screenshot of default dependency search page Figure 1. Default dependency search page.

  • You can only use dependency search through Semgrep Cloud Platform. Sign up or sign in to Semgrep Cloud Platform.
  • You need at least one completed Semgrep Supply Chain scan of all the repositories you want to search through.

To search through your dependencies:

  1. Sign in to Semgrep Cloud Platform.
  2. Click Supply Chain > Settings on the header menu. These settings are specific to Semgrep Supply Chain. Screenshot of Semgrep Supply Chain Settings tab Figure 2. Screenshot of Semgrep Supply Chain Settings tab.
  3. Click Dependency search if it is not already enabled.
  4. Click Dependencies on the header menu.
  5. Type the name of the dependency you are searching for.
  6. Optional: Apply filters as necessary for your search.

Search for ranges of supported versions with the > or < operators following the @ operator. For example, body-parser@<1.18.0 finds all versions of body-parser greater than 1.18.0.

Dependency search provides the following filters:

Refers to the relationship of the dependency to your codebase. The relationship can be direct, indirect, or unknown.
Refers to the language of the dependency

Screenshot of dependency search with query Figure 2. Dependency search page with sample search query.

You can view the following information in the Dependencies page:

Repository nameThe name of the repository and its parent organization.
Trunk branchThe name of the trunk branch, typically main or master.
Last full scanTime of the last full scan performed on the repository.
Number of dependenciesThe total number of direct, indirect, and unknown dependencies.
LockfileThe name of the lockfile parsed to generate the list of dependencies.
LanguageThe programming language of the repository.
EcosystemThe package manager used to manage dependencies.
DependenciesThe list of dependencies, starting with direct dependencies.


This section describes possible issues and how to resolve them.

No dependencies appear in the Dependencies page

To ensure that your dependencies appear, check the following:

  • Ensure that Semgrep Supply Chain can parse your lockfile. Refer to Supported languages for a list of supported languages and lockfiles.
  • Make sure you've scanned the repository at least once.
  • If you are using filters, ensure that your filters and search syntax is correct.