- Semgrep Supply Chain
- Team & Enterprise Tier
Receiving notifications from Semgrep Supply Chain (SSC) scans
Developers can be notified of vulnerabilities in their GitHub or GitLab environment through pull request (PR) or merge request (MR) comments.
Receiving SSC notifications through PR or merge request MR comments
Figure 1. Screenshot of a PR comment from SSC in a GitHub repository.
Semgrep Supply Chain can post GitHub pull request (PR) or GitLab merge request (MR) comments to notify developers of third-party reachable vulnerabilities. The following information is provided:
- Risk
- A description of the vulnerability, including the types of attack it is vulnerable to.
- Fix
- Indicates what versions to upgrade to, if any, that resolves or eliminates the vulnerability.
- Reference
- A link to additional information about the vulnerability from GitHub Advisory Database and the National Vulnerability Database (NVD), if available.
Pull or merge requests with vulnerabilities detected by SSC are not blocked from merging.
Enabling Semgrep Supply Chain to send PRs or MRs
Receiving PR or MR comments for reachable findings, if any, is enabled by default. Comments appear after a Semgrep Supply Chain scan.
Custom Semgrep setups
This section provides documentation if PR or MR comments do not appear for custom Semgrep setups, such as self-hosted repositories. You may require additional permissions or an access token to receive PR or MR comments.
To ensure that you have enabled Semgrep Cloud Platform to send PR or MR comments, refer to the following documentation:
| GitHub or GitLab plan | Document |
| GitHub Free, Pro, Team, and Enterprise Cloud | Enabling GitHub pull request comments |
| GitHub Enterprise Server | Integrating Semgrep into self-hosted repositories |
| GitLab SaaS | Enabling GitLab merge request comments |
| GitLab Self-managed | Integrating Semgrep into self-hosted repositories |
Prevent or block developers from merging a PR or MR when a reachable vulnerability has been detected
Both GitHub and GitLab provide features to prevent or block a PR or MR from merging based on certain conditions. Refer to the links below to prevent PRs or MRs from merging when a reachable finding is detected:
| GitHub | Require conversation resolution before merging |
| GitLab | Prevent merge unless all threads are resolved |
Not finding what you need in this doc? Ask questions in our Community Slack group, or see Support for other ways to get help.