Skip to main content
  • Semgrep Supply Chain
  • Team & Enterprise Tier

Receiving notifications from Semgrep Supply Chain (SSC) scans

Developers can be notified of vulnerabilities in their GitHub or GitLab environment through pull request (PR) or merge request (MR) comments.

Receiving SSC notifications through PR or merge request MR comments

Semgrep Supply Chain PR comment Figure 1. Screenshot of a PR comment from SSC in a GitHub repository.

Semgrep Supply Chain can post GitHub pull request (PR) or GitLab merge request (MR) comments to notify developers of third-party reachable vulnerabilities. The following information is provided:

A description of the vulnerability, including the types of attack it is vulnerable to.
Indicates what versions to upgrade to, if any, that resolves or eliminates the vulnerability.
A link to additional information about the vulnerability from GitHub Advisory Database and the National Vulnerability Database (NVD), if available.

Pull or merge requests with vulnerabilities detected by SSC are not blocked from merging.

Enabling Semgrep Supply Chain to send PRs or MRs

Receiving PR or MR comments for reachable findings, if any, is enabled by default. Comments appear after a Semgrep Supply Chain scan.

Custom Semgrep setups


This section provides documentation if PR or MR comments do not appear for custom Semgrep setups, such as self-hosted repositories. You may require additional permissions or an access token to receive PR or MR comments.

To ensure that you have enabled Semgrep Cloud Platform to send PR or MR comments, refer to the following documentation:

GitHub or GitLab planDocument
GitHub Free, Pro, Team, and Enterprise CloudEnabling GitHub pull request comments
GitHub Enterprise ServerIntegrating Semgrep into self-hosted repositories
GitLab SaaSEnabling GitLab merge request comments
GitLab Self-managedIntegrating Semgrep into self-hosted repositories

Prevent or block developers from merging a PR or MR when a reachable vulnerability has been detected

Both GitHub and GitLab provide features to prevent or block a PR or MR from merging based on certain conditions. Refer to the links below to prevent PRs or MRs from merging when a reachable finding is detected:

GitHubRequire conversation resolution before merging
GitLabPrevent merge unless all threads are resolved

Not finding what you need in this doc? Ask questions in our Community Slack group, or see Support for other ways to get help.