Supply Chain feature support
Semgrep Supply Chain is a software composition analysis (SCA) tool that detects security vulnerabilities in your codebase introduced by open source dependencies. It can also:
- Generate a software bill of materials (SBOM) that provides a complete inventory of your open source components
- Query for information about your dependencies
- Support the enforcement of your business' open source package licensing requirements
- Detect malicious dependencies (this feature is currently in invite-only beta; please contact Semgrep Support for more information)
For projects with lockfiles, Semgrep parses lockfiles for dependencies, then scans your codebase for reachable findings based on the lockfiles. For a lockfile to be scanned by Semgrep Supply Chain, it must have one of the supported lockfile names.
For some languages, a lockfile or manifest file is parsed to determine transitivity. See Transitive dependencies and reachability analysis for more information.
Additionally, Semgrep offers beta support for the scanning of projects written in the following languages without lockfiles:
- C#
- Java
- Kotlin
- Python
- Ruby
Supply Chain features for each language
The following table lists all Supply Chain features for each language. Languages with reachability support are listed first.
| Language | Reachability (see CVE coverage) | Scan without lockfiles (beta) | License detection | Malicious dependency detection |
|---|---|---|---|---|
| C# | ✅ | ✅ | ✅ | ✅ |
| Go | ✅ | -- | ✅ | ✅ |
| Java | ✅ | ✅ | ✅ | -- |
| JavaScript or TypeScript | ✅ | -- | ✅ | ✅ |
| Kotlin | ✅ | ✅ | ✅ | -- |
| Python | ✅ | ✅ | ✅ For PyPi only | ✅ |
| Ruby | ✅ | -- | ✅ | ✅ |
| Scala | ✅ | -- | ✅ | -- |
| Swift | ✅ | -- | ✅† | -- |
| PHP | ✅ | -- | ✅ | -- |
| Rust | No reachability analysis. However, Semgrep can compare a package's version against a list of versions with known vulnerabilities. | -- | ✅ | ✅ |
| Dart | -- | -- | -- | |
| Elixir | -- | -- | -- |
†License detection for new packages is asynchronous and processed after the initial scan. Policies aren't applied on first detection, but are enforced in subsequent scans.
CVE coverage
For customers with an active paid subscription, Semgrep’s reachability analysis covers all critical and high severity CVEs from supported sources starting in 2017 across all supported languages.
Supported sources
Not finding what you need in this doc? Ask questions in our Community Slack group, or see Support for other ways to get help.