Package manager support
Semgrep Supply Chain (SCA) scans dependencies by parsing manifest files or lockfiles. This page lists the supported package managers and file types.
For language-level coverage and feature maturity, see Supported languages.
For some languages, a lockfile or manifest file is parsed to determine transitivity. See Transitive dependencies and reachability analysis for more information.
Package manager support
The following table lists all Semgrep-supported package managers for each language. Languages with reachability support are listed first.
| Language | Supported package managers | Manifest file or lockfile |
|---|---|---|
| C# | NuGet | packages.lock.json |
| Go | Go modules (go mod) | go.mod |
| Java | Gradle | gradle.lockfile |
| Maven | Maven-generated dependency tree (See Setting up SSC scans for Apache Maven for instructions.) | |
| JavaScript or TypeScript | npm | package-lock.json |
| Yarn | yarn.lock | |
| pnpm | pnpm-lock.yaml | |
| Kotlin | Gradle | gradle.lockfile |
| Maven | Maven-generated dependency tree (See Setting up SSC scans for Apache Maven for instructions.) | |
| Python | pip | Any of the following:
|
| pip-tools | ||
| Pipenv | Pipfile.lock | |
| Poetry | poetry.lock | |
| uv | uv.lock | |
| Ruby | RubyGems | Gemfile.lock |
| Scala | Maven | Maven-generated dependency tree (See Setting up SSC scans for Apache Maven for instructions.) |
| Swift | SwiftPM | Package.swift file and Swift-generated Package.resolved file. (See Swift documentation for instructions.) |
| Rust | Cargo* | cargo.lock |
| Dart | Pub | pubspec.lock |
| Elixir | Hex | mix.lock |
| PHP | Composer | composer.lock |
*Supply Chain does not analyze the transitivity of packages for
these language and manifest file or lockfile combinations. All dependencies are
listed as No Reachability Analysis.
Not finding what you need in this doc? Ask questions in our Community Slack group, or see Support for other ways to get help.