Triage and remediate Supply Chain findings
At least one repository that scans for dependencies through Semgrep Supply Chain. See Scan third-party dependencies.
Once Semgrep Supply Chain successfully scans your repository and you've viewed your results, you can triage and remediate the findings presented in Semgrep AppSec Platform using the Supply Chain page.
Figure. Semgrep Supply Chain Vulnerabilities page.
Triage and remediate findings
Once you have viewed the Supply Chain findings, you can triage them for further work by your AppSec team, including remediation. Semgrep Supply Chain provides the following methods to help you assess your findings:
| Assessment action | Method |
|---|---|
| View the dependency paths for a transitive dependency. | Visible on the vulnerability entry. |
| View specific pattern matches in your codebase. | Click the link provided in the vulnerability entry to see where the issue appears in the source code. |
| View specific CVE entries in cve.org. | Click the vulnerability's CVE badge. |
| View safe versions to upgrade your dependencies. | Visible on the vulnerability entry. |
| Filter vulnerabilities. | Click any of the filters available. Refer to the following table for filtering information. |
Remediate true positives
Remediate (or resolve) true positives in Semgrep Supply Chain through the following methods:
- Update the dependency to a safe version that does not contain the vulnerability.
- Remove the dependency and refactor all usages in the codebase.
Remove the dependency and refactor the code
Removing the dependency and refactoring the code is another method to remediate vulnerabilities. Upon merging any dependency removals, Semgrep Supply Chain scans the PR or MR, detects the changes in your manifest file or lockfile, and updates the status to Fixed.
Ignore findings
The Vulnerabilities tab allows you to identify the reachable, true positives so that you can fix or resolve the related issues. However, you can ignore any false positives, acceptable risks, or deprioritized findings due to some factor. To do this:
- Select one or more findings.
- Click Triage.
- Select Ignore and click Continue.
- Select an Ignore reason, provide a optional comment, and click Ignore.
Upgrade guidance and click-to-fix pull requests
If the remediation for a finding is to upgrade the package, upgrade guidance uses program analysis and AI to analyze the results of your Semgrep scans to see if you can safely and reliably update a vulnerable package or dependency to a fixed version. From there, you can choose to:
- Have Semgrep open a pull request (PR) that updates the version used by your repository and provide guidance to the developer on the breaking changes in the PR description
- Create a Jira ticket
- Set the finding's triage status as To fix
Semgrep's dependency upgrade guidance can determine if the package upgrade needed to remediate the finding causes breaking changes. Semgrep can then create a PR to upgrade the package, offering a one-click solution to you.
Supported languages and package managers
- Go projects using the
gomodpackage manager - Python codebases with the following package managers:
pippip-toolspipenvpoetryuv
- GitHub Cloud
- This includes projects added to Semgrep through Semgrep Managed Scans
Prerequisites
To access all upgrade guidance and click to fix features, you must have:
- At least one repository that scans for dependencies through Semgrep Supply Chain.
- Semgrep Assistant enabled.
- The private GitHub for Semgrep installed.
- The app must have Read and write access on the Contents permission.
- Optionally: connected your private registry, if any, to Semgrep. Currently, Semgrep supports the use of private Python registries only.
Features and permissions
The following table summarizes the features available to you depending on the prerequisites you meet:
| Semgrep features available | Read and write Content permission granted | Code access granted to Semgrep through installation of the private GitHub app | Semgrep Assistant enabled | Private registry connected to Semgrep |
|---|---|---|---|---|
All click to fix and upgrade guidance features, including:
| ||||
All click to fix and upgrade guidance features, but not for dependencies in a private registry:
| The private registry is not connected to Semgrep | |||
Click to fix, but not for dependencies in a private registry:
| The private registry is not connected to Semgrep | |||
All upgrade guidance features, including:
| ||||
All upgrade guidance features, but not for dependencies in a private registry:
| The private registry is not connected to Semgrep |
How it works
After enabling Upgrade guidance, Semgrep performs post-scan analysis and marks applicable findings as Safe to upgrade or with Breaking changes.
- This analysis is performed every two hours on the latest full scan.
- Only findings whose dependencies have fixed versions that resolve the vulnerability are marked by Semgrep as Safe to upgrade or with Breaking changes.
- Findings without any fixed versions have no badge; instead, they say no patch available.
Figure. Details page for a finding that has no available fix.
The following chart illustrates the steps Semgrep performs, from scanning to analysis, and the actions you can take based on the advice it provides.
Review a finding's upgrade guidance
To view detailed information about a finding:
- Within Semgrep AppSec Platform, navigate to the Supply Chain page. By default this page loads the Vulnerabilities tab.
- Locate the finding you want to review, then click Details.
The details page is divided into several panels:
- General information:
- The name of the package and a description of the finding
- Its reachability, whether it is direct or transitive, its CVE number, EPSS, and severity
- Its remediation version, if any
- Links to references
- A badge indicating if it can cause breaking changes or not (beta)
- Branch and finding history information
- Branches in which it can be found
- Where it was first detected
- AI analysis performed, if any
- Graphs and code:
- Your code: the source file in which a match was detected; the highlight indicates where the match was found
- Dependency path: displays the path of dependencies; useful when analyzing transitive dependencies
- Pattern and Rule: the pattern and rule logic that determined the match
Figure. Useful details that provide upgrade guidance.
- A - Upgrade badge
- Indicates if an upgrade is safe or may break your codebase.
- B - The line of code (LOC) of the finding
- This shows the LOC that caused the finding; this does not show the LOC where the breaking changes occur.
- C - Link to change list drawer
- Click this link to display the LOC where a breaking change may occur.
- D - Open fix PR button
- Click this button to open a PR with the code to upgrade the dependency to a safe version, if any.
Figure. Drawer showing all the lines of code that must be changed or are safe.
Create a pull request with fixes
- Navigate to the Details page of the finding for which you want to make a pull request.
- Click Fix > Open fix PR.
A pull request includes:
- The manifest and/or lockfile changes necessary to upgrade the dependency
- The context necessary for developers to fix potentially breaking changes
The following context is included in the pull request description:
- Summary
- Severity and reachability of the finding
- The specific version of the dependency that the PR upgrades to
- Vulnerability details
- A description of the vulnerability and links to its CVE references
- Upgrade guidance
- All the pieces of code, typically files and functions, which make use of the dependency
- Unchanged (safe) pieces of code
- Potentially breaking pieces of code
- Dependency references
- Release notes, changelogs, and commits of the dependency, which may be helpful to resolve the breaking changes
Figure. PR comment with upgrade guidance.
Block pull request or merge requests
To block or leave comments on pull request or merge requests, see the Supply Chain Policies document.
Appendix
Grant Read and write access to a private GitHub Semgrep app
If you are an existing Semgrep user and you need to change your Semgrep app's permissions:
- Navigate to the settings page of your private Semgrep GitHub app; refer to Changing the permissions of a GitHub app for instructions.
- In the Repository permissions section, search for
Contents. - Click the drop-down menu and select Read and write.
Connect a private registry to Semgrep
- Sign in to Semgrep AppSec Platform.
- Navigate to Settings > Integrations.
- Click Add, then select Registry.
- In the dialog that appears, provide the following information:
- The Name of your registry.
- Select the Package manager.
- Select the Authentication method. If none is required, select None (public registry).
- If you select Username and password, provide the required Username and Password.
- If you select API token, provide the required token value.
- Click Connect to save your changes and proceed.
Semgrep currently supports integrations with private Maven package registries for scans without lockfiles.
Troubleshooting: Semgrep is not displaying any upgrade guidance or click to fix functionality
If you can't see any Breaking changes or Safe to upgrade badges or findings, this may be due to the following reasons:
- Your language or package ecosystem isn't supported
- Your source code manager isn't supported
- Your you have not set Read and write access for the Contents permission; see Grant read and write access
- Your findings don't have safe versions to upgrade to yet
- You have no findings within the supported scope of this feature
Not finding what you need in this doc? Ask questions in our Community Slack group, or see Support for other ways to get help.