Skip to main content
  • Semgrep Supply Chain
  • Team & Enterprise Tier

Conceptual overview of Semgrep Supply Chain

Detect recently discovered security vulnerabilities in your codebase's open-source dependencies using Semgrep Supply Chain. Leverage Semgrep's code-scanning capabilities to run high-signal rules that determine a vulnerability's reachability. Semgrep Supply Chain evaluates dependencies based on their version and use in your codebase.

Semgrep Supply chain Vulnerabilities page Figure 1. Semgrep Supply Chain Vulnerabilities page.

Semgrep Supply Chain parses lock files for a list of dependencies, then scans your codebase using rules written with Semgrep's pattern syntax. Supply Chain rules specify the following:

  • The range of versions that contain the dependency's vulnerability.
  • A pattern for vulnerable code, such as passing in unsanitized data.
  • The severity of the vulnerability.

Semgrep Supply Chain generates a finding when it detects a match. If the dependency's version is within the range and finds the matching code within your codebase, the finding is reachable.

A finding is unreachable if the dependency contains a known vulnerability, but the vulnerable matching code is not used in your codebase.

A finding is undetermined if Semgrep detects a match for the dependency in the vulnerable version range, but does not have a reachability rule for this vulnerability. This is most common with older or lower severity vulnerabilities.

Undetermined findings are generated by Semgrep Supply Chain lockfile-only rules, which are rules that do not perform reachability analysis. These findings are generated by checking the dependency's version in its lock or manifest file against versions with known vulnerabilities. These rules are on par with GitHub Dependabot.

In Semgrep Cloud Platform, specific findings of a dependency and code match are called usages. Usages are grouped by their vulnerability. Vulnerabilities in Semgrep Supply Chain typically have a CVE number corresponding to the record in the CVE Program.

Semgrep Cloud Platform also includes a list of Advisories for reference. Advisories include all vulnerabilities covered by Semgrep Supply Chain, regardless of whether the related dependency is used in scanned code.

  • Semgrep ingests CVEs and security advisories from sources such as GitHub Security Advisory to ensure effective rule coverage.
  • Semgrep, Inc. processes new CVEs and security advisories at least daily to perform the following:
    • Generation of new rules for new security advisories.
    • Updating of rules based on changes to prior security advisories.

The following diagram displays the relationship between a Supply Chain rule, the lockfile, and the codebase being scanned:

Relationship between a Supply Chain rule, lockfile, CVE record, and codebase Figure 2. Relationship between a Supply Chain rule, lockfile, CVE record, and codebase.

Semgrep and Semgrep Supply Chain

The following table displays differences between Semgrep and Semgrep Supply Chain.

FeatureSemgrepSemgrep Supply Chain
Type of toolStatic application security testing (SAST)Software composition analysis (SCA)
Scan targetFirst-party code (your codebase or repository)Open source dependencies
Triage workflowFindings can be categorized as:
  • Ignored (to triage false positives)
  • Closed (resolved) by refactoring code
  • Removed
Findings can be categorized as:
  • New
  • In progress
  • Fixed
  • Ignored
Remediation workflowCode refactoringUpgrading or removing the dependency, code refactoring
Notification channelsSlack, Email, WebhooksSlack

Language support

Refer to Supported languages to see all languages supported by Semgrep Supply Chain.

Transitive dependencies and reachability analysis

See SSC glossary > Transitivity for a definition of a transitive dependency.

  • Semgrep Supply Chain does not perform reachability analysis for transitive dependencies. This means we do not scan the source code of your dependencies to determine if their dependencies may produce a reachable finding in the code.
  • Semgrep Supply Chain supports scanning for transitive or indirect dependencies for all of its supported languages. Findings are collected and displayed in Semgrep Cloud Platform > Supply Chain.
  • In most cases, Semgrep Supply Chain generates reachable findings for direct dependencies. However, there are certain dependencies that are vulnerable simply through their inclusion in a codebase. Semgrep Supply Chain generates reachable findings for these types of dependencies even if they are transitive dependencies.

In some package ecosystems, it's possible to use a transitive dependency in your code as if it were a direct dependency. This is very uncommon, but Semgrep does scan for these usages with reachability rules if they are available, and will mark transitive dependencies as "unreachable" if they are not directly used.

Next steps: Scanning your codebase

To scan your codebase, follow the instructions in Scanning open source dependencies.

Additional references

Not finding what you need in this doc? Ask questions in our Community Slack group, or see Support for other ways to get help.