> ## Documentation Index
> Fetch the complete documentation index at: https://docs.semgrep.dev/llms.txt
> Use this file to discover all available pages before exploring further.

# View findings in Semgrep AppSec Platform

Semgrep Supply Chain generates a **finding** when a rule matches a piece of code in your codebase. You can view these findings in Semgrep AppSec Platform's [**Supply Chain** page](https://semgrep.dev/orgs/-/supply-chain).

<Info>
  **PREREQUISITE**

  At least one repository that [scans for dependencies through Semgrep Supply Chain](/semgrep-supply-chain/set-up-and-configure).
</Info>

## View findings

To view your findings in Semgrep AppSec Platform:

<Steps>
  <Step>
    Log in to [Semgrep AppSec Platform](https://semgrep.dev/login).
  </Step>

  <Step>
    In the **Navigation bar**, click **[Supply Chain](https://semgrep.dev/orgs/-/supply-chain)**.
  </Step>
</Steps>

By default, Semgrep displays **Priority** findings, which are defined as findings that:

* Have a severity level of **critical** or **high**
* Are **reachable**

You can switch to the **All** tab at any point to view all findings identified by Semgrep Supply Chain. Both the **Priority** findings view and the **All** findings view display high-level information about your findings.

<Note>
  **LOCAL SCANS**

  Findings from local scans are differentiated from their remote counterparts through their slugs. Remote repositories are identified as <span className="placeholder">  ACCOUNT\_NAME/REPOSITORY\_NAME</span>, while local repositories are identified as <span className="placeholder">local\_scan/REPOSITORY\_NAME</span>.
</Note>

### Custom **Priority** tab

Semgrep admins can create a custom priority definition to change the criteria for the findings shown on the **Priority** tab:

<Steps>
  <Step>
    Log in to [Semgrep AppSec Platform](https://semgrep.dev/login).
  </Step>

  <Step>
    In the **navigation bar**, click **[Supply Chain](https://semgrep.dev/orgs/-/supply-chain)**. Ensure that you're viewing the **Priority** tab.
  </Step>

  <Step>
    Using the provided filters, set your parameters for priority findings.
  </Step>

  <Step>
    Click **Save**.
  </Step>

  <Step>
    You'll see a dialog asking you to confirm that you want the changes saved for everyone. Click **Save** to proceed.
  </Step>
</Steps>

This change applies to the entire Semgrep organization. You cannot have separate priority definitions for individual users or teams.

## Filter findings

There are multiple grouping and filtering options available to you regardless of whether you use the **Priority** findings view or the **All** findings view.

### Time period

The time period filters allow you to see which vulnerabilities were opened, fixed, or triaged during a certain period of time. The time period filter is **not** additive. It is a filter operation that precedes other filters on the page. For example, if you select both **Last triaged** and **Status Open**, no findings appear because, by definition, there are no triaged findings that are also open.

The following filters are available:

* Triage state update action:
  * Opened in
  * Triaged in
  * Fixed in
* Time period:
  * Last day
  * Last 7 days
  * Last 30 days
  * Last 3 months
  * Last 6 months
  * Last year
  * All time

### Project

The **<Tooltip tip="A repository or codebase that you have added to Semgrep Cloud Platform for scanning along with finding metadata and other Semgrep data and resources." cta="See full definition." href="/semgrep-code/glossary#project">Project</Tooltip>** filter allows you to search for findings associated with the selected projects.

### Status

The **Status** filter allows you to search for findings in the selected statuses, which are the triage states of the findings:

* **Open**: Findings for which there have been no triage or remediation action.
* **Reviewing**: Findings that require more investigation to determine what the next steps should be.
* **To fix**: Findings that you have decided to fix. Commonly used to indicate that these findings are tracked in Jira or assigned to developers for further work.
* **Provisionally ignored**: Unreachable findings.
* **Ignored**: Vulnerabilities that have been triaged as **Ignored** by the user. You can filter findings with a status of **Ignored** further by reason: **False positive**, **Acceptable risk**, **No time to fix**, or **No triage reason**.
* **Closed**: Vulnerabilities that are no longer detected after a scan. This typically means that the dependency containing the vulnerability has been updated. Semgrep Supply Chain automatically checks if the dependency has been updated and sets the vulnerability's status as **Fixed**.

### Additional filters

Semgrep offers additional filters that you can use to narrow down your results. The following filters are available:

| Filter                                                                                                                                                                                                                                                                                    | Description                                                                                                                                                                                                                       |
| :---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **Severity**                                                                                                                                                                                                                                                                              | The severity of a finding. Filters are based on the severity of a vulnerability. Semgrep Supply Chain rules use severity values set by the source of the rule, such as [GitHub Advisory Database](https://github.com/advisories). |
| [**Reachability**](#reachability)                                                                                                                                                                                                                                                         | The finding's exposure, or whether it is reachable.                                                                                                                                                                               |
| [**EPSS probability**](#epss-probability)                                                                                                                                                                                                                                                 | The finding's [Exploit prediction scoring system (EPSS) probability](https://www.first.org/epss/).                                                                                                                                |
| **Upgrade guidance (beta)**                                                                                                                                                                                                                                                               | The impact of a dependency upgrade on your project as determined by Semgrep Multimodal.                                                                                                                                           |
| **Dependencies**                                                                                                                                                                                                                                                                          | The name of the dependency involved.                                                                                                                                                                                              |
| **<Tooltip tip="Announcement of a vulnerability, typically with an associated CVE. Semgrep Supply Chain rules can find advisories, and they appear in the Advisories view." cta="See full definition and Advisories." href="/semgrep-supply-chain/glossary#advisory">Advisory</Tooltip>** | The vulnerabilities' ID number, such as CVE, GHSA, MAL, or keyword.                                                                                                                                                               |
| **Malicious dependency**                                                                                                                                                                                                                                                                  | Whether the finding is for a malicious dependency.                                                                                                                                                                                |
| **<Tooltip tip="A repository or codebase that you have added to Semgrep Cloud Platform for scanning along with finding metadata and other Semgrep data and resources." cta="See full definition." href="/semgrep-code/glossary#project">Project</Tooltip>**                               | The tags associated with the project.                                                                                                                                                                                             |
| **Multimodal file risk level**                                                                                                                                                                                                                                                            | Filter by the risk level determined by Semgrep Multimodal.                                                                                                                                                                        |

#### EPSS probability

The [Exploit prediction scoring system (EPSS) probability](https://www.first.org/epss/) represents the likelihood that the vulnerability will be exploited in the wild in the next 30 days. Its values range from 0% to 100%. The higher the score, the greater the probability the vulnerability will be exploited. Semgrep groups probabilities as follows:

* <b>High</b>: 50 - 100%
* <b>Medium</b>: 10 - \<50%
* <b>Low</b>: \<10%

#### Reachability

The finding's exposure to potential attacks, or whether it is reachable.

* **Reachable**: A finding is reachable if there's a vulnerable function call or vulnerable package in use. The finding should be addressed as soon as possible.
  * **Malicious dependency**: A finding that indicates the use of a dangerous package, or dangerous version of a package, that are designed to compromise systems.
  * **Reachable in code**: A finding is reachable in code if there's a code pattern in the codebase that matches the vulnerability definition.
  * **Always reachable**: A finding is always reachable if it's something Semgrep recommends fixing, regardless of what's in the code.
* **Needs review**: A finding that requires manual triage and review. Follow the instructions provided.
  * **Conditionally reachable**: A finding is conditionally reachable if Semgrep finds a way to reach it when scanning your code when certain conditions are met.
  * **No Reachability Analysis**: A finding that Semgrep does not scan for reachability.
* **Unreachable**: No vulnerable function call found. This finding can be deprioritized.

#### Transitivity

The transitivity of the finding:

* **Direct**: Your project depends directly on the dependency.
* **Transitive**: Your project's dependency depends on a vulnerable dependency.
* **Undetermined**: Semgrep had no transitivity information for the dependency as it relates to your project.

#### Upgrade guidance (beta)

The impact of a dependency upgrade on your project as determined by Semgrep Multimodal:

* **Safe**: There are unlikely to be breaking changes introduced by the dependency upgrade.
* **Breaking**: The dependency upgrade likely introduces breaking changes, so code modifications are required.

## Group and sort findings

You can view findings individually or grouped by the rule that identified the finding.

By default, Semgrep displays your findings using the **Group by Rule** view. This view shows your findings grouped by the rule Semgrep used to match the code. Your findings are shown sorted **by severity**, but you can opt to sort **by number of findings** for a given rule.

A specific finding in the code is called a **usage**. <Tooltip tip="Unintentional flaw in a dependency that can be exploited. Vulnerabilities are typically assigned a CVE and categorized by GHSA severity." cta="See full definition." href="/semgrep-supply-chain/glossary#vulnerability">Vulnerability</Tooltip> entries are sorted as cards by severity from critical to low, then from oldest to newest.

## Export findings

You can export findings to a **CSV** file. Semgrep can export the **10,000 most recent findings** when you request the report in Semgrep AppSec Platform:

<Steps>
  <Step>On the **navigation bar**, go to **Supply Chain**.</Step>
  <Step>Click the **<Icon icon="download" iconType="regular" /> icon**.</Step>
</Steps>

Semgrep filters do not apply to exports. The 10,000 most recent findings are exported to the CSV file regardless of the filters you apply on the **Findings page**.

To export more than 10,000 findings, you must use the [<Icon icon="external-link" iconType="solid" /> Semgrep API's List code, supply chain, or AI-powered scan findings](https://docs.semgrep.dev/api-reference/findingsservice/list-code-supply-chain-or-ai-powered-scan-findings) endpoint.

<Accordion title={"Click to view a description of fields included in the CSV."}>
  | Field                 | Description                                                                                                                               |
  | :-------------------- | :---------------------------------------------------------------------------------------------------------------------------------------- |
  | Id                    | The unique ID number of the finding.                                                                                                      |
  | Rule name             | The name of the rule.                                                                                                                     |
  | Product               | The Semgrep product.                                                                                                                      |
  | Severity              | The finding's severity. Possible values are **Critical**, **High**, **Medium**, or **Low**.                                               |
  | Status                | The finding's triage status.                                                                                                              |
  | Confidence            | Filter by the likelihood of the rule to detect true positives. The higher the confidence, the more true positives the rule may detect.    |
  | Multimodal component  | A descriptor, such as `API`, `Payments processing`, `Infrastructure`, that Multimodal tags the finding with, based on the code's context. |
  | Repository name       | The name of the repository where Semgrep found the finding.                                                                               |
  | Repository URL        | The repository URL.                                                                                                                       |
  | Line of code URL      | The URL to the specific line of code where the finding match began. A finding may be several lines long.                                  |
  | Semgrep platform link | A link to the finding's **Details** page in Semgrep AppSec Platform.                                                                      |
  | Created at            | The time the finding was created in your timezone.                                                                                        |
  | Last Opened at        | The time the finding was last opened.                                                                                                     |
  | Branch                | The name of the branch where the finding was detected.                                                                                    |
  | Triaged at            | The most recent time that the finding was triaged.                                                                                        |
  | Triage comment        | A triage comment created by the user.                                                                                                     |
  | Triage reason         | The reason why the finding was triaged, created by the user.                                                                              |
  | Rule description      | The description of the rule. This is the same as the rule's `message` key.                                                                |

  The following fields are exclusive to **Supply Chain** scans:

  | Field        | Description                                                                                                      |
  | :----------- | :--------------------------------------------------------------------------------------------------------------- |
  | Dependency   | The name of the dependency where the finding was found.                                                          |
  | Reachability | The reachability status of the finding, such as **Reachable**, **No Reachability Analysis**, or **Unreachable**. |
  | Transitivity | States whether the finding originates from a direct or transitive dependency.                                    |
  | CVE          | The CVE number that the finding is assigned to.                                                                  |
  | EPSS         | The EPSS score, which estimates the likelihood that a software vulnerability can be exploited in the wild.       |
</Accordion>

## View details about a specific finding

To view in-depth information about a specific finding, select the finding whose details you want to view. Then:

* If the default **Group by Rule** is enabled, click the <Icon icon="window-restore" iconType="regular" /> **Details** icon on the card of the finding.
* If the **No grouping** view is enabled, click the **header hyperlink** on the card of the finding.

The [finding's details](/semgrep-supply-chain/finding-details) page displays in-depth information about the finding. It also allows you to perform actions such as updating the finding's status as needed, viewing links to any integrations available, such as associated Jira tickets, and communicating with your team regarding the finding. For example, you can add notes to the finding that anyone with access to the finding can see.

## How Semgrep displays findings present on multiple branches

A **single** finding may appear in several branches. These appearances are called **instances** of a finding. Several instances of the same finding may differ in which line of code (LOC) they are on or in their triage state. For example, on `production` the finding may be on line 20, but the same finding was moved further to line 26 in `feature-branch-a`.

Semgrep automatically recognizes that they are fundamentally the same finding and deduplicates these instances so that you do not get an inflated count of findings per ref that the finding is present in.

By default, the Supply Chain page displays findings from the [primary branches](/deployment/primary-branch) of all repositories (projects), arranged by most recent scan. You are viewing the **primary branch's instance** of that finding, so you may see variations in LOC or triage state when comparing the finding across branches.

When filtering by primary branch and triage status, the filters are applied based on the **triage status of the finding on the primary branch**. This means that on some feature branches, the instance may already be **Fixed**, but on the primary branch, the finding is still **Open**. The finding status on the primary branch is updated when the PR or MR is merged and Semgrep has scanned the code.

<Tip>
  **TIP**

  * If you do not see any findings, or there are zero findings after a scan has concluded, check the **Projects** page to view the findings count, if any, and to set a [primary branch](/deployment/primary-branch), if it is not already set.
  * The total count of findings in the **Projects** page is based on the **primary branch**.
</Tip>
