Skip to main content
  • Semgrep Supply Chain
  • Team & Enterprise Tier

Overview of Semgrep Supply Chain

Detect recently discovered security vulnerabilities in your codebase's open-source dependencies using Semgrep Supply Chain. Leverage Semgrep's code-scanning capabilities to run high-signal rules that determine a vulnerability's reachability. Semgrep Supply Chain evaluates dependencies based on their version and use in your codebase.


Semgrep Supply Chain is available for users that have a Semgrep Supply Chain Team License. Contact for more information.

Semgrep Supply chain Vulnerabilities page Figure 1. Semgrep Supply Chain Vulnerabilities page.

Semgrep Supply Chain parses lockfiles for a list of dependencies, then scans your codebase using rules written with Semgrep's pattern syntax. Supply Chain rules specify the following:

  • The range of versions that contain the dependency's vulnerability.
  • A pattern for vulnerable code, such as passing in unsanitized data.
  • The severity of the vulnerability.

Semgrep Supply Chain generates a finding when it detects a match. If the dependency's version is within the range and finds the matching code within your codebase, the finding is reachable.

A finding is unreachable if the dependency contains a known vulnerability, but the vulnerable matching code is not used in your codebase.

In Semgrep Cloud Platform, specific findings of a dependency and code match are called usages. Usages are grouped by their vulnerability. Vulnerabilities in Semgrep Supply Chain typically have a CVE number corresponding to the record in the CVE Program.

Semgrep Cloud Platform also includes a list of Advisories for reference. Advisories include all vulnerabilities covered by Semgrep Supply Chain, regardless of whether the related dependency is used in scanned code.

The following diagram displays the relationship between a Supply Chain rule, the lockfile, and the codebase being scanned:

Relationship between a Supply Chain rule, lockfile, CVE record, and codebase Figure 2. Relationship between a Supply Chain rule, lockfile, CVE record, and codebase.

Semgrep and Semgrep Supply Chain

The following table displays differences between Semgrep and Semgrep Supply Chain.

FeatureSemgrepSemgrep Supply Chain
Type of toolStatic application security testing (SAST)Software composition analysis (SCA)
Scan targetFirst-party code (your codebase or repository)Open source dependencies
Triage workflowFindings can be categorized as:
  • Ignored (to triage false positives)
  • Closed (resolved) by refactoring code
  • Removed
Findings can be categorized as:
  • New
  • In progress
  • Fixed
  • Ignored
Remediation workflowCode refactoringUpgrading or removing the dependency, code refactoring
Notification channelsSlack, Email, WebhooksSlack

Language support

Refer to Supported languages to see all languages supported by Semgrep Supply Chain.

Transitive dependencies and reachability analysis

See SSC glossary > Transitivity for a definition of a transitive dependency.

  • Semgrep Supply Chain does not perform reachability analysis for transitive dependencies. This means we do not scan the source code of your dependencies to determine if their dependencies may produce a reachable finding in the code.
  • Semgrep Supply Chain supports scanning for transitive or indirect dependencies for all of its supported languages. Findings are collected and displayed in Semgrep Cloud Platform > Supply Chain.
  • In most cases, Semgrep Supply Chain generates reachable findings for direct dependencies. However, there are certain dependencies that are vulnerable simply through their inclusion in a codebase. Semgrep Supply Chain generates reachable findings for these types of dependencies even if they are transitive dependencies.

Next steps: Scanning your codebase

To scan your codebase, follow the instructions in Scanning open source dependencies.

Additional references

Find what you needed in this doc? Join the Semgrep Community Slack group to ask the maintainers and the community if you need help.