- Semgrep Supply Chain
- Team & Enterprise Tier
Overview of Semgrep Supply Chain
Detect recently discovered security vulnerabilities in your codebase's open-source dependencies using Semgrep Supply Chain. Leverage Semgrep's code-scanning capabilities to run high-signal rules that determine a vulnerability's reachability. Semgrep Supply Chain evaluates dependencies based on their version and use in your codebase.
Semgrep Supply Chain is available for users that have a Semgrep Supply Chain Team License. Contact sales@semgrep.com for more information.
Figure 1. Semgrep Supply Chain Vulnerabilities page.
Semgrep Supply Chain parses lockfiles for a list of dependencies, then scans your codebase using rules written with Semgrep's pattern syntax. Supply Chain rules specify the following:
- The range of versions that contain the dependency's vulnerability.
- A pattern for vulnerable code, such as passing in unsanitized data.
- The severity of the vulnerability.
Semgrep Supply Chain generates a finding when it detects a match. If the dependency's version is within the range and finds the matching code within your codebase, the finding is reachable.
A finding is unreachable if the dependency contains a known vulnerability, but the vulnerable matching code is not used in your codebase.
In Semgrep Cloud Platform, specific findings of a dependency and code match are called usages. Usages are grouped by their vulnerability. Vulnerabilities in Semgrep Supply Chain typically have a CVE number corresponding to the record in the CVE Program.
Semgrep Cloud Platform also includes a list of Advisories for reference. Advisories include all vulnerabilities covered by Semgrep Supply Chain, regardless of whether the related dependency is used in scanned code.
The following diagram displays the relationship between a Supply Chain rule, the lockfile, and the codebase being scanned:
Figure 2. Relationship between a Supply Chain rule, lockfile, CVE record, and codebase.
Semgrep and Semgrep Supply Chain
The following table displays differences between Semgrep and Semgrep Supply Chain.
| Feature | Semgrep | Semgrep Supply Chain |
|---|---|---|
| Type of tool | Static application security testing (SAST) | Software composition analysis (SCA) |
| Scan target | First-party code (your codebase or repository) | Open source dependencies |
| Triage workflow | Findings can be categorized as:
| Findings can be categorized as:
|
| Remediation workflow | Code refactoring | Upgrading or removing the dependency, code refactoring |
| Notification channels | Slack, Email, Webhooks | Slack |
Language support
Refer to Supported languages to see all languages supported by Semgrep Supply Chain.
Transitive dependencies and reachability analysis
See SSC glossary > Transitivity for a definition of a transitive dependency.
- Semgrep Supply Chain does not perform reachability analysis for transitive dependencies. This means we do not scan the source code of your dependencies to determine if their dependencies may produce a reachable finding in the code.
- Semgrep Supply Chain supports scanning for transitive or indirect dependencies for all of its supported languages. Findings are collected and displayed in Semgrep Cloud Platform > Supply Chain.
- In most cases, Semgrep Supply Chain generates reachable findings for direct dependencies. However, there are certain dependencies that are vulnerable simply through their inclusion in a codebase. Semgrep Supply Chain generates reachable findings for these types of dependencies even if they are transitive dependencies.
Next steps: Scanning your codebase
To scan your codebase, follow the instructions in Scanning open source dependencies.
Additional references
- Software supply chain security is hard
- The best free, open-source supply-chain security tool? The lockfile
Find what you needed in this doc? Join the Semgrep Community Slack group to ask the maintainers and the community if you need help.