- Semgrep Supply Chain
- Team & Enterprise Tier
Getting started with Semgrep Supply Chain
Semgrep Supply Chain detects recently discovered security vulnerabilities in your codebase's open source dependencies, prioritizing findings through reachability analysis.
This document walks you through the process of setting up open-source dependency scanning with Semgrep Supply Chain.
To learn more about how Semgrep Supply Chain performs reachability analysis, see Overview of Semgrep Supply Chain.
Semgrep Supply Chain supports monorepositories (monorepos) by treating each subdirectory as its own repository. Findings are grouped under these repositories based on the lockfile or manifest file present in the subdirectory.
Scanning with Semgrep Supply Chain through Semgrep Cloud Platform
Semgrep Supply Chain is available for users that have a Semgrep Supply Chain Team License. Contact sales@semgrep.com for more information.
Semgrep Supply Chain is automatically enabled for all repositories that you have onboarded or added to Semgrep Cloud Platform for scanning. If you have not onboarded any repositories for scanning, follow the steps in Adding a repository to add a repository for scanning.
When the scan finishes, Semgrep Cloud Platform displays an overview of findings in the Supply Chain page for further triage and remediation. See Triaging and remediating dependency findings.
Running rules with historical coverage (parity or ecosystem rules)
Historical coverage rules, also referred to as parity or ecosystem rules, are rules that do not perform reachability analysis. These rules only check a package's version against versions with known vulnerabilities. These rules produce vulnerabilities similar to Dependabot's results, but have a higher false positive rate.
To turn these rules on:
- Sign in to your Semgrep Cloud Platform account.
- Click Projects, and then click gear icon of the repository on which to run historical coverage rules.
- Click Supply Chain historical coverage. Historical coverage rules are included in your next scan, that occurs based on your CI setup, such as schedules and events configuration (push, pull, and merge requests).
- Optional: Some CI providers enable you to start workflows manually. To start a dependency scan immediately, go to your CI provider's interface and manually begin the Semgrep workflow or job.
Events that trigger a Supply Chain dependency scan
Dependency scans can be triggered by the following, depending on your CI set up:
| Event | Scope of scan | Dependency rule set |
| Pull or merge request | diff-aware scan | All dependency rules |
| Push or scheduled event, such as a cron job | full scan | All dependency rules |
For more information on diff-aware and full scans, see Diff-aware scanning.
Blocking a PR or MR
Both reachable and unreachable findings of Semgrep Supply Chain do not block a pull request or merge request.
Semgrep versions v0.122.0 and below previously blocked reachable findings.
Setting a daily scan schedule
Semgrep Supply Chain frequently releases new rules. By default, Semgrep Supply Chain scans your codebase once a day. Change your time or frequency through the following references:
The following table is a summary of methods and resources to set up schedules for different CI providers.
| CI provider | Where to set schedule | Resource |
|---|---|---|
| GitHub Actions | Within semgrep.yml file | Sample code snippet |
| GitLab CI/CD | Within GitLab CI/CD interface | Official documentation |
| Jenkins | Within Jenkins interface | Official documentation |
| BitBucket Pipelines | Within BitBucket Pipelines interface | Official documentation |
| CircleCI | Within CircleCI interface | Official documentation |
| Buildkite | Within Buildkite interface | Official documentation |
| Azure Pipelines | Within Pipelines interface (recommended) | Official documentation |
Ignoring dependency findings through semgrepignore
See Ignoring dependency findings.
Triaging and remediating dependency findings
Semgrep Supply Chain enables developers to perform triage and remediation through the Vulnerabilities page. On this page you can perform the following actions:
- View specific reachable vulnerable lines of code in your codebase. This helps to evaluate the threat.
- View specific lines of code where your dependency is being declared.
- Triage a dependency finding.
- Attach a PR or MR, or Jira ticket to the finding.
- Upgrade the dependency that generated the finding to a safe version. A safe version is any newer version of the dependency that does not contain the vulnerability. This resolves the finding.
For more information, see Triaging and remediating findings.
Appendix: Setting up SSC scans for specific project management tools
Apache Maven (Java)
Semgrep Supply Chain does not read pom.xml files to parse Maven projects. Instead it parses a dependency tree generated by Maven (mvn). Perform the following steps to enable Semgrep Supply Chain to correctly parse Maven projects:
- Generate a file outlining the project's dependency tree by adding the following command to your build pipeline:For specific steps to add the command into your build pipeline, refer to your CI provider's documentation.
mvn dependency:tree -DoutputFile=maven_dep_tree.txt - For each
pom.xmlfile with dependencies you want to scan, create additional dependency trees in their respective directories. Semgrep Supply Chain can detect and parse them all. - Run the Semgrep workflow, action, or step after the dependency tree or trees have been generated.
- Ensure that Maven is installed in the build environment that is used to generate the dependency trees.
- Ensure that you generate dependency trees before running Semgrep.
You can run the above commands in a local environment to test its behavior. The following screenshot displays the commands running in a local environment:
Find what you needed in this doc? Join the Semgrep Community Slack group to ask the maintainers and the community if you need help.