Skip to main content

Scan third-party dependencies

This article walks you through the Semgrep Supply Chain configuration and customization options available.

Apache Maven

Project directory structure

Semgrep Supply Chain requires a lockfile. Code files that use the dependencies in the lockfile must be nested in the same directory as the lockfile. Semgrep Supply Chain can correctly parse code files in subfolders as well.

In the following example, Semgrep Supply Chain assumes that all code files using the dependencies in my-project/running/lockfile.json are nested in my-project/running/ or deeper directories.

│ ├───lockfile.json
│ ├───bar.js
│ └───/uphill
│ ├───lockfile.json
│ └────foo.js

If you have code files in my-project/biking, Semgrep Supply Chain does not associate them to the dependencies in my-project/running/lockfile.json. If there is another lockfile in my-project/running, such as my-project/running/uphill/lockfile.json, then this overrides the original my-project/running/lockfile.json for all code files in my-project/running/uphill/ or deeper directories.

Enable Semgrep Supply Chain

  1. Sign in to Semgrep AppSec Platform.
  2. Click Settings.
  3. In the Deployment tab, click the Supply Chain scans toggle if it is not already enabled.

Scan frequency

By adjusting your CI configuration, you can configure your scans so that Semgrep Supply Chain scans your code at a different frequency or when a specific event occurs.

Schedule scans

Semgrep Supply Chain frequently receives rule updates. To take advantage of these updates, adjust the frequency with which Semgrep Supply Chain scans your codebase.

The following table is a summary of methods and resources to set up schedules for different CI providers.

CI providerWhere to set schedule
GitHub ActionsSee Sample CI configs for information on how to modify your semgrep.yml file
GitLab CI/CDRefer to GitLab documentation
JenkinsRefer to Jenkins documentation
Bitbucket PipelinesRefer to Bitbucket documentation
CircleCIRefer to CircleCI documentation
BuildkiteRefer to Buildkite documentation
Azure PipelinesRefer to Azure documentation
Rule updates

If a rule is updated, findings generated against the updated rule are considered new findings, even if the previous version of the rule generated a finding. The new finding is not affected by any triage actions on findings related to the previous version of the rule. Because the finding is new, you'll also receive notifications through the channels you've set up, such as Slack.

Event-triggered scans

Depending on how your CI/CD system is configured, you can trigger a Semgrep Supply Chain scan whenever one of the following events occurs:

EventScope of scanDependency rule set
Pull or merge requestDiff-aware scanAll dependency rules
Push or scheduled event, such as a cron jobFull scanAll dependency rules

Run a scan using the CLI

You can run a stand-alone Semgrep Supply Chain scan via the CLI using:

semgrep ci --supply-chain

Semgrep prints a list of findings directly to the CLI, including the finding's reachability determination, severity level, a brief description, and suggested remediation.

Additionally, you can view your results in Semgrep AppSec Platform. It displays all of the information displayed in the CLI, but it also offers you the ability to:

  • See additional finding details, such as whether the finding is always reachable or if it's reachable if certain conditions are met, and its transitivity status
  • Use the dependency search feature
  • Use the license compliance feature

Scan a monorepo's dependencies

Semgrep Supply Chain supports the scanning of monorepos. As outlined in Project directory structure, findings are grouped by directory based on the lockfiles or manifest files present in the monorepo.

Block pull or merge requests

Semgrep Supply Chain versions v0.122.0 and earlier automatically blocked pull/merge requests if it discovered reachable findings in the code, but later versions do not do this. You can, however, configure Semgrep Supply Chain to block on pull request scans that detect reachable findings in direct dependencies with high or critical severity.

  1. Log in to Semgrep AppSec Platform.
  2. Go to Settings > Deployment and navigate to the Supply Chain (SCA) section.
  3. Click PR/MR Blocking.

Alternatively, you can configure your version control system to prevent merging if Semgrep Supply Chain identifies reachable findings.

Ignore lockfiles and dependencies

See Ignore lockfiles and dependencies for information on how to flag specific findings to be ignored by Semgrep Supply Chain using semgrepignore.

Not finding what you need in this doc? Ask questions in our Community Slack group, or see Support for other ways to get help.