Detect and remove malicious dependencies
Malicious dependencies are dangerous packages, or dangerous versions of packages, that are designed to compromise systems. These threats include packages that have always been malicious, such as typo-squatting attacks, or packages that become malicious after an attacker compromises a maintainer or injects harmful code. They are also known as malware.
Semgrep can detect malicious dependencies in your projects and pull requests (PRs) or merge requests (MRs).
Supported package managers
The following table lists the languages for which Supply Chain can detect malicious dependencies.
| Language | Package manager or ecosystem |
|---|---|
| C# | NuGet |
| Go | go.mod |
| JavaScript | npm |
| Python | PyPi |
| Ruby | RubyGems |
| Rust | cargo.lock |
| TypeScript | npm |
Enabling malicious dependency rules
To include malicious dependency rules in your Supply Chain scan, navigate to Settings > Supply Chain and enable Malicious dependency advisories.
You can also use this setting to disable malicious dependency scanning for your Semgrep organization.
Malicious dependency findings
Malicious dependency findings are treated as critical severity findings.
If you set up your Supply Chain policies to block critical severity findings, malicious dependency findings block a PR or MR in the same way as any other Supply Chain finding.
From the Supply Chain policies page, you can also configure a policy to trigger conditionally based on whether a dependency is marked Malicious.
View malicious dependencies
Malicious dependencies appear in the Supply Chain tab, alongside other Supply Chain findings. They are denoted by the MAL badge.
Figure. A malicious dependency finding.
To view malicious dependencies detected in your projects:
- Navigate to Supply Chain.
- Click the filters icon and enable the Malicious dependency filter.
- Review the results listed. Click Details to learn more about available remediation guidance.
Triage and remediation for malicious dependencies
- If there is no fix available, remove the malicious dependency from your codebase and re-run a Supply Chain scan.
- If there is a safe version to update to, fix the finding by updating the dependency. Then, re-run a Supply Chain scan.
- You can apply any Semgrep triage state, such as Ignored, though this is not recommended.
If you have configured your policies to display malicious dependency findings to your developers, and you have enabled Settings > General > Code > Triage via code review comments, your developers are able to triage these findings as Ignored.
Create Jira tickets for malicious dependency findings
Semgrep provides a Jira integration option that lets you create Jira tickets for malicious dependency findings across any branch, not just the primary branch. This capability enables developers to respond immediately when a malicious package is detected.
To enable Jira ticket creation for malicious dependencies:
- Navigate to Settings > Integrations > Jira.
- Select the option to Automatically create tickets for malicious dependency findings on any branch.
Advisories for malicious dependencies
You can view all the malicious dependencies that Semgrep can detect by navigating to Rules & Policies > Advisories and turning on just the Malicious filter.
Currently, advisories for malicious dependencies are generated automatically and use the package name and version to identify the dependency. In some cases, the advisory indicates that only specific sources of the dependency have been compromised. If you do not use those sources and have never done so, then it may be appropriate to mark the findings for that advisory as ignored.
Not finding what you need in this doc? Ask questions in our Community Slack group, or see Support for other ways to get help.