- Semgrep Supply Chain
- Team & Enterprise Tier
This article walks you through the Semgrep Supply Chain configuration and customization options available.
- To run a Semgrep Supply Chain scan, you must generate a dependency tree for Apache Maven.
Project directory structure
Semgrep Supply Chain requires a lockfile. Code files that use the dependencies in the lockfile must be nested in the same directory as the lockfile. Semgrep Supply Chain can correctly parse code files in subfolders as well.
In the following example, Semgrep Supply Chain assumes that all code files using the dependencies in
my-project/running/lockfile.json are nested in
my-project/running/ or deeper directories.
If you have code files in
my-project/biking, Semgrep Supply Chain does not associate them to the dependencies in
my-project/running/lockfile.json. If there is another lockfile in
my-project/running, such as
my-project/running/uphill/lockfile.json, then this overrides the original
my-project/running/lockfile.json for all code files in
my-project/running/uphill/ or deeper directories.
By adjusting your CI configuration, you can configure your scans so that Semgrep Supply Chain scans your code at a different frequency or when a specific event occurs.
Semgrep Supply Chain frequently receives rule updates. To take advantage of these updates, adjust the frequency with which Semgrep Supply Chain scans your codebase.
The following table is a summary of methods and resources to set up schedules for different CI providers.
|Where to set schedule
|See Sample CI configs for information on how to modify your
|Refer to GitLab documentation
|Refer to Jenkins documentation
|Refer to Bitbucket documentation
|Refer to CircleCI documentation
|Refer to Buildkite documentation
|Refer to Azure documentation
If a rule is updated, findings generated against the updated rule are considered new findings, even if the previous version of the rule generated a finding. The new finding is not affected by any triage actions on findings related to the previous version of the rule. Because the finding is new, you'll also receive notifications through the channels you've set up, such as Slack.
Depending on how your CI/CD system is configured, you can trigger a Semgrep Supply Chain scan whenever one of the following events occurs:
|Scope of scan
|Dependency rule set
|Pull or merge request
|All dependency rules
|Push or scheduled event, such as a cron job
|All dependency rules
Run a scan using the CLI
You can run a stand-alone Semgrep Supply Chain scan via the CLI using:
semgrep ci --supply-chain
Semgrep prints a list of findings directly to the CLI, including the finding's reachability determination, severity level, a brief description, and suggested remediation.
Additionally, you can view your results in Semgrep Cloud Platform (SCP). SCP displays all of the information displayed in the CLI, but it also offers you the ability to:
- See additional finding details, such as whether the finding is always reachable or if it's reachable if certain conditions are met, and its transitivity status
- Use the dependency search feature
- Use the license compliance feature
Scan a monorepo's dependencies
Semgrep Supply Chain supports the scanning of monorepos. As outlined in Project directory structure, findings are grouped by directory based on the lockfiles or manifest files present in the monorepo.
Block pull or merge requests
Semgrep Supply Chain versions v0.122.0 and earlier automatically blocked pull/merge requests if it discovered reachable findings in the code, but later versions do not do this. You can, however, configure Semgrep Supply Chain to block on pull request scans that detect reachable findings in direct dependencies with high or critical severity.
- Log in to Semgrep Cloud Platform.
- Click Supply Chain > Settings on the header menu.
- Click PR Blocking.
Alternatively, you can configure your version control system to prevent merging if Semgrep Supply Chain identifies reachable findings.
Ignore lockfiles and dependencies
See Ignore lockfiles and dependencies for information on how to flag specific findings to be ignored by Semgrep Supply Chain using