Skip to main content
  • Semgrep Supply Chain
  • Team & Enterprise Tier

Getting started with Semgrep Supply Chain

Semgrep Supply Chain detects recently discovered security vulnerabilities in your codebase's open source dependencies, prioritizing findings through reachability analysis.

This document walks you through the process of setting up open-source dependency scanning with Semgrep Supply Chain.

To learn more about how Semgrep Supply Chain performs reachability analysis, see Overview of Semgrep Supply Chain.


Semgrep Supply Chain supports monorepositories (monorepos) by treating each subdirectory as its own repository. Findings are grouped under these repositories based on the lockfile or manifest file present in the subdirectory.

Scanning with Semgrep Supply Chain through Semgrep Cloud Platform


Semgrep Supply Chain is available for users that have a Semgrep Supply Chain Team License. Contact for more information.

Semgrep Supply Chain is automatically enabled for all repositories that you have onboarded or added to Semgrep Cloud Platform for scanning. If you have not onboarded any repositories for scanning, follow the steps in Adding a repository to add a repository for scanning.

When the scan finishes, Semgrep Cloud Platform displays an overview of findings in the Supply Chain page for further triage and remediation. See Triaging and remediating dependency findings.

Running rules with historical coverage (parity or ecosystem rules)

Historical coverage rules, also referred to as parity or ecosystem rules, are rules that do not perform reachability analysis. These rules only check a package's version against versions with known vulnerabilities. These rules produce vulnerabilities similar to Dependabot's results, but have a higher false positive rate.

To turn these rules on:

  1. Sign in to your Semgrep Cloud Platform account.
  2. Click Projects, and then click gear icon of the repository on which to run historical coverage rules.
  3. Click Supply Chain historical coverage. Historical coverage rules are included in your next scan, that occurs based on your CI setup, such as schedules and events configuration (push, pull, and merge requests).
  4. Optional: Some CI providers enable you to start workflows manually. To start a dependency scan immediately, go to your CI provider's interface and manually begin the Semgrep workflow or job.

Events that trigger a Supply Chain dependency scan

Dependency scans can be triggered by the following, depending on your CI set up:

EventScope of scanDependency rule set
Pull or merge requestdiff-aware scanAll dependency rules
Push or scheduled event, such as a cron jobfull scanAll dependency rules

For more information on diff-aware and full scans, see Diff-aware scanning.

Blocking a PR or MR

Both reachable and unreachable findings of Semgrep Supply Chain do not block a pull request or merge request.


Semgrep versions v0.122.0 and below previously blocked reachable findings.

Setting a daily scan schedule

Semgrep Supply Chain frequently releases new rules. By default, Semgrep Supply Chain scans your codebase once a day. Change your time or frequency through the following references:

The following table is a summary of methods and resources to set up schedules for different CI providers.

CI providerWhere to set scheduleResource
GitHub ActionsWithin semgrep.yml fileSample code snippet
GitLab CI/CDWithin GitLab CI/CD interfaceOfficial documentation
JenkinsWithin Jenkins interfaceOfficial documentation
BitBucket PipelinesWithin BitBucket Pipelines interfaceOfficial documentation
CircleCIWithin CircleCI interfaceOfficial documentation
BuildkiteWithin Buildkite interfaceOfficial documentation
Azure PipelinesWithin Pipelines interface (recommended)Official documentation

Ignoring dependency findings through semgrepignore

See Ignoring dependency findings.

Triaging and remediating dependency findings

Semgrep Supply Chain enables developers to perform triage and remediation through the Vulnerabilities page. On this page you can perform the following actions:

  • View specific reachable vulnerable lines of code in your codebase. This helps to evaluate the threat.
  • View specific lines of code where your dependency is being declared.
  • Triage a dependency finding.
  • Attach a PR or MR, or Jira ticket to the finding.
  • Upgrade the dependency that generated the finding to a safe version. A safe version is any newer version of the dependency that does not contain the vulnerability. This resolves the finding.

For more information, see Triaging and remediating findings.

Appendix: Setting up SSC scans for specific project management tools

Apache Maven (Java)

Semgrep Supply Chain does not read pom.xml files to parse Maven projects. Instead it parses a dependency tree generated by Maven (mvn). Perform the following steps to enable Semgrep Supply Chain to correctly parse Maven projects:

  1. Generate a file outlining the project's dependency tree by adding the following command to your build pipeline:
    mvn dependency:tree -DoutputFile=maven_dep_tree.txt
    For specific steps to add the command into your build pipeline, refer to your CI provider's documentation.
  2. For each pom.xml file with dependencies you want to scan, create additional dependency trees in their respective directories. Semgrep Supply Chain can detect and parse them all.
  3. Run the Semgrep workflow, action, or step after the dependency tree or trees have been generated.
  • Ensure that Maven is installed in the build environment that is used to generate the dependency trees.
  • Ensure that you generate dependency trees before running Semgrep.

You can run the above commands in a local environment to test its behavior. The following screenshot displays the commands running in a local environment:

Screenshot of Maven dependency tree generated in a local environment

Find what you needed in this doc? Join the Semgrep Community Slack group to ask the maintainers and the community if you need help.