Set up Semgrep Supply Chain for your infrastructure
Your deployment journey
- You have gained the necessary resource access and permissions required for deployment.
- You have created a Semgrep account and organization.
- For GitHub and GitLab users: You have connected your source code manager.
- Optionally, you have set up SSO.
- You have successfully added a Semgrep job to your CI workflow.
Semgrep Supply Chain performs software composition analysis with reachability.
Scanning third-party code with Semgrep Supply Chain may require additional steps, such as generating a lockfile that it can parse in continuous integration (CI).
The documents in this category describe how to set up Semgrep Supply Chain for specific lockfiles or CI providers, to ensure that your Semgrep Supply Chain deployment functions as intended.
| CI provider | Issue | Solution |
|---|---|---|
| Jenkins UI using Git plugin | Findings are not being sent to Semgrep AppSec Platform. | Set the correct branch name by following the steps in Setting up Semgrep Supply Chain with Jenkins UI |
| Package manager | Issue | Solution |
|---|---|---|
| Maven | Semgrep Supply Chain requires a dependency tree to detect packages. | Generate a dependency tree using mvn by following the steps in Setting up Semgrep Supply Chain with Apache Maven. |
Not finding what you need in this doc? Ask questions in our Community Slack group, or see Support for other ways to get help.