Skip to main content

Triage and remediate Supply Chain findings

Prerequisite

At least one repository that scans for dependencies through Semgrep Supply Chain. See Scan third-party dependencies.

Once Semgrep Supply Chain successfully scans your repository and you've viewed your results, you can triage and remediate the findings presented in Semgrep AppSec Platform using the Supply Chain page.

Semgrep Supply Chain Vulnerabilities page Figure. Semgrep Supply Chain Vulnerabilities page.

Triage and remediate findings

Once you have viewed the Supply Chain findings, you can triage them for further work by your AppSec team, including remediation. Semgrep Supply Chain provides the following methods to help you assess your findings:

Assessment actionMethod
View the dependency paths for a transitive dependency.Visible on the vulnerability entry.
View specific pattern matches in your codebase.Click the link provided in the vulnerability entry to see where the issue appears in the source code.
View specific CVE entries in cve.org.Click the vulnerability's CVE badge.
View safe versions to upgrade your dependencies.Visible on the vulnerability entry.
Filter vulnerabilities.Click any of the filters available. Refer to the following table for filtering information.

Remediate true positives

Remediate (or resolve) true positives in Semgrep Supply Chain through the following methods:

  • Update the dependency to a safe version that does not contain the vulnerability.
  • Remove the dependency and refactor all usages in the codebase.

Remove the dependency and refactor the code

Removing the dependency and refactoring the code is another method to remediate vulnerabilities. Upon merging any dependency removals, Semgrep Supply Chain scans the PR or MR, detects the changes in your manifest file or lockfile, and updates the status to Fixed.

Ignore findings

The Vulnerabilities tab allows you to identify the reachable, true positives so that you can fix or resolve the related issues. However, you can ignore any false positives, acceptable risks, or deprioritized findings due to some factor. To do this:

  1. Select one or more findings.
  2. Click Triage.
  3. Select Ignore and click Continue.
  4. Select an Ignore reason, provide a optional comment, and click Ignore.

Upgrade guidance and click-to-fix pull requests

If the remediation for a finding is to upgrade the package, upgrade guidance uses program analysis and AI to analyze the results of your Semgrep scans to see if you can safely and reliably update a vulnerable package or dependency to a fixed version. From there, you can choose to:

  • Have Semgrep open a pull request (PR) that updates the version used by your repository and provide guidance to the developer on the breaking changes in the PR description
  • Create a Jira ticket
  • Set the finding's triage status as To fix

Semgrep's dependency upgrade guidance can determine if the package upgrade needed to remediate the finding causes breaking changes. Semgrep can then create a PR to upgrade the package, offering a one-click solution to you.

Supported languages and package managers

  • Go projects using the gomod package manager
  • Python codebases with the following package managers:
    • pip
    • pip-tools
    • pipenv
    • poetry
    • uv
  • GitHub Cloud
    • This includes projects added to Semgrep through Semgrep Managed Scans

Prerequisites

To access all upgrade guidance and click to fix features, you must have:

Features and permissions

The following table summarizes the features available to you depending on the prerequisites you meet:

Semgrep features availableRead and write Content permission grantedCode access granted to Semgrep through installation of the private GitHub appSemgrep Assistant enabledPrivate registry connected to Semgrep
All click to fix and upgrade guidance features, including:
  • Upgrade filter for Findings
  • Upgrade guidance on the Finding Details page
  • Coupled or blocked upgrade information shown on the Finding Details page
  • Ability to open a PR to upgrade
All click to fix and upgrade guidance features, but not for dependencies in a private registry:
  • Upgrade filter for Findings
  • Upgrade guidance on the Finding Details page
  • Coupled or blocked upgrade information shown on the Finding Details page
  • Ability to open a PR to upgrade
The private registry is not connected to Semgrep
Click to fix, but not for dependencies in a private registry:
  • Ability to open a PR to upgrade
The private registry is not connected to Semgrep
All upgrade guidance features, including:
  • Upgrade filter for Findings
  • Upgrade guidance on the Finding Details page
  • Coupled or blocked upgrade information shown on the Finding Details page
All upgrade guidance features, but not for dependencies in a private registry:
  • Upgrade filter for Findings
  • Upgrade guidance on the Finding Details page
  • Coupled or blocked upgrade information shown on the Finding Details page
The private registry is not connected to Semgrep

How it works

After enabling Upgrade guidance, Semgrep performs post-scan analysis and marks applicable findings as Safe to upgrade or with Breaking changes.

  • This analysis is performed every two hours on the latest full scan.
  • Only findings whose dependencies have fixed versions that resolve the vulnerability are marked by Semgrep as Safe to upgrade or with Breaking changes.
  • Findings without any fixed versions have no badge; instead, they say no patch available. Finding with no fixed version available Figure. Details page for a finding that has no available fix.

The following chart illustrates the steps Semgrep performs, from scanning to analysis, and the actions you can take based on the advice it provides.

Flowchart explaining how Semgrep provides upgrade guidance and possible actions to take based on its advice.

Review a finding's upgrade guidance

To view detailed information about a finding:

  1. Within Semgrep AppSec Platform, navigate to the Supply Chain page. By default this page loads the Vulnerabilities tab.
  2. Locate the finding you want to review, then click Details.

The details page is divided into several panels:

  • General information:
    • The name of the package and a description of the finding
    • Its reachability, whether it is direct or transitive, its CVE number, EPSS, and severity
    • Its remediation version, if any
    • Links to references
    • A badge indicating if it can cause breaking changes or not (beta)
  • Branch and finding history information
    • Branches in which it can be found
    • Where it was first detected
    • AI analysis performed, if any
  • Graphs and code:
    • Your code: the source file in which a match was detected; the highlight indicates where the match was found
    • Dependency path: displays the path of dependencies; useful when analyzing transitive dependencies
    • Pattern and Rule: the pattern and rule logic that determined the match

SSC details that provide upgrade guidance. Figure. Useful details that provide upgrade guidance.

A - Upgrade badge
Indicates if an upgrade is safe or may break your codebase.
B - The line of code (LOC) of the finding
This shows the LOC that caused the finding; this does not show the LOC where the breaking changes occur.
C - Link to change list drawer
Click this link to display the LOC where a breaking change may occur.
D - Open fix PR button
Click this button to open a PR with the code to upgrade the dependency to a safe version, if any.

Drawer showing all lines of code that must be changed Figure. Drawer showing all the lines of code that must be changed or are safe.

Create a pull request with fixes

  1. Navigate to the Details page of the finding for which you want to make a pull request.
  2. Click Fix > Open fix PR.

A pull request includes:

  • The manifest and/or lockfile changes necessary to upgrade the dependency
  • The context necessary for developers to fix potentially breaking changes

The following context is included in the pull request description:

  • Summary
    • Severity and reachability of the finding
    • The specific version of the dependency that the PR upgrades to
  • Vulnerability details
    • A description of the vulnerability and links to its CVE references
  • Upgrade guidance
    • All the pieces of code, typically files and functions, which make use of the dependency
    • Unchanged (safe) pieces of code
    • Potentially breaking pieces of code
  • Dependency references
    • Release notes, changelogs, and commits of the dependency, which may be helpful to resolve the breaking changes

PR comment with upgrade guidance Figure. PR comment with upgrade guidance.

Block pull request or merge requests

To block or leave comments on pull request or merge requests, see the Supply Chain Policies document.

Appendix

Grant Read and write access to a private GitHub Semgrep app

If you are an existing Semgrep user and you need to change your Semgrep app's permissions:

  1. Navigate to the settings page of your private Semgrep GitHub app; refer to Changing the permissions of a GitHub app for instructions.
  2. In the Repository permissions section, search for Contents.
  3. Click the drop-down menu and select Read and write.

Connect a private registry to Semgrep

  1. Sign in to Semgrep AppSec Platform.
  2. Navigate to Settings > Integrations.
  3. Click Add, then select Registry.
  4. In the dialog that appears, provide the following information:
    1. The Name of your registry.
    2. Select the Package manager.
    3. Select the Authentication method. If none is required, select None (public registry).
      1. If you select Username and password, provide the required Username and Password.
      2. If you select API token, provide the required token value.
  5. Click Connect to save your changes and proceed.
info

Semgrep currently supports integrations with private Maven package registries for scans without lockfiles.

Troubleshooting: Semgrep is not displaying any upgrade guidance or click to fix functionality

If you can't see any Breaking changes or Safe to upgrade badges or findings, this may be due to the following reasons:

  • Your language or package ecosystem isn't supported
  • Your source code manager isn't supported
  • Your you have not set Read and write access for the Contents permission; see Grant read and write access
  • Your findings don't have safe versions to upgrade to yet
  • You have no findings within the supported scope of this feature

Not finding what you need in this doc? Ask questions in our Community Slack group, or see Support for other ways to get help.