Skip to main content
Once you enable Semgrep Supply Chain, it automatically scans repositories that you have added to Semgrep AppSec Platform if your repositories meet the requirements for a successful scan.

Enable Supply Chain

If you haven’t already enabled Supply Chain:
1
Sign in to Semgrep AppSec Platform.
2
Go to Settings > General > Supply Chain.
3
Click the Supply Chain scans toggle if it is not already enabled.

Project directory structure

To scan your project with Supply Chain, it must use a supported package manager and supported file names. Supply Chain can correctly parse code files, manifest files, and lockfiles in subfolders as well. Code files that use the dependencies in the manifest file or lockfile must be nested in the same directory as the manifest file or lockfile. Manifest files and lockfiles must all use supported file names. In the following example, Supply Chain assumes that all code files using the dependencies in my-project/running/lockfile.json are nested in my-project/running/ or deeper directories. 
/my-project
├───/running
│   ├───lockfile.json
│   ├───bar.js
│   └───/uphill
│       ├───lockfile.json
│       └────foo.js
├───/biking
If you have code files in my-project/biking, Supply Chain does not associate them with the dependencies in my-project/running/lockfile.json. If there is another manifest file or lockfile in my-project/running, such as my-project/running/uphill/lockfile.json, then this overrides the original my-project/running/lockfile.json for all code files in my-project/running/uphill/ or deeper directories.

Scan frequency

You can modify your CI configuration so that Supply Chain scans your code at a specified frequency or whenever a specific event occurs, such as opening a pull request or merge request.

Rule updates

Supply Chain frequently receives rule updates. To take advantage of these updates, adjust the frequency with which Supply Chain scans your codebase. If a rule is updated, findings generated against the revised rule are considered new findings, even if the previous version generated a finding. The new finding is not affected by any triage actions on findings related to the prior version of the rule. Because the finding is new, you’ll also receive notifications through the channels you’ve set up, such as Slack.

Schedule scans

The following list includes resources to set up schedules for different CI providers:

Event-triggered scans

You can configure your CI/CD system to trigger a Supply Chain scan whenever one of the following events occurs:
EventScope of scanDependency rule set
Pull request or merge requestDiff-aware scansAll dependency rules
Push or scheduled event, such as a cron jobFull scanAll dependency rules

Run a scan using the CLI

You can start a stand-alone Supply Chain scan by running the following command in the CLI: 
semgrep ci --supply-chain
Semgrep prints a list of findings directly to the CLI, including the finding’s reachability determination, severity level, a brief description, and suggested remediation. You can also view your results in Semgrep AppSec Platform. It displays all of the information displayed in the CLI, but offers additional functionality such as:
  • Additional finding details, such as whether the finding is always reachable or if it’s reachable if certain conditions are met, and its transitivity status
  • Dependency search to view all of your project’s dependencies and their associated vulnerabilities
  • License compliance to manage the dependencies used in your project based on their licenses

Scan a monorepo’s dependencies

Supply Chain supports the scanning of monorepos. As outlined in Project directory structure, findings are grouped by directory based on the or present in the monorepo.

Dynamic Dependency Resolution (beta)

This feature is currently in beta. Please contact Semgrep Support for more information.
Supply Chain can use Dynamic Dependency Resolution to scan projects without lockfiles or with incomplete lockfiles.

CLI Scans, including self-managed CI systems

  1. Ensure that the environment where you run Semgrep scans has installed all of the dependencies required to build your project, such as Java and Maven or Python and pip.
  2. Initiate a Semgrep scan, ensuring that you include the --allow-local-builds flag to enable Semgrep to invoke package managers on the system: 
    semgrep ci --allow-local-builds
    For existing CI jobs, you might have to edit your configuration file to include this flag. The flag allows Semgrep to build the project, if needed, to dynamically resolve dependencies. Semgrep uses the build information included in the pom.xml or build.gradle file to determine the set of dependencies used by the project.

Semgrep Managed Scans

1
Configure private registry credentials in Settings > Integrations. Note that only Maven registries are currently supported for Managed Scans.
2
Contact Semgrep Support to enable Dynamic Dependency resolution for the necessary repositories.