Nearly all Software Composition Analysis (SCA) solutions produce many findings, most of which are false positives. Security teams must spend hours triaging to make them actionable for developers.

Semgrep Supply Chain is our opinionated take on finding dependency vulnerabilities using reachability analysis. Reachability analysis determines if your code is using a vulnerable package and if it is, it checks if it also uses the vulnerable pattern within that package. This significantly reduces the number of false positives and the time to triage security issues.

Doyensec performed a side-by-side comparison of three popular Software Composition Analysis solutions (Semgrep, Snyk, and Dependabot) in order to evaluate their abilities to properly determine whether an application’s dependencies with known vulnerabilities actually introduce an exploitable condition in the application.