Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.semgrep.dev/llms.txt

Use this file to discover all available pages before exploring further.

This article walks you through the setup needed to scan your project with Semgrep Supply Chain and its configuration and customization options. Once you enable Semgrep Supply Chain, it automatically scans repositories that you have added to Semgrep AppSec Platform, but your repository must first meet the requirements for a successful scan.

Project directory structure

To scan your project with Semgrep Supply Chain, it must use a supported package manager and supported file names. Semgrep Supply Chain can correctly parse code files, manifest files, and lockfiles in subfolders as well. Code files that use the dependencies in the manifest file or lockfile must be nested in the same directory as the manifest file or lockfile. Manifest files and lockfiles must all use supported file names. In the following example, Semgrep Supply Chain assumes that all code files using the dependencies in my-project/running/lockfile.json are nested in my-project/running/ or deeper directories. 
/my-project
├───/running
│   ├───lockfile.json
│   ├───bar.js
│   └───/uphill
│       ├───lockfile.json
│       └────foo.js
├───/biking
If you have code files in my-project/biking, Semgrep Supply Chain does not associate them with the dependencies in my-project/running/lockfile.json. If there is another manifest file or lockfile in my-project/running, such as my-project/running/uphill/lockfile.json, then this overrides the original my-project/running/lockfile.json for all code files in my-project/running/uphill/ or deeper directories.

Enable Semgrep Supply Chain

1
Sign in to Semgrep AppSec Platform.
2
Go to Settings > General > Supply Chain.
3
Click the Supply Chain scans toggle if it is not already enabled.

Scan frequency

You can modify your CI configuration so that Semgrep Supply Chain scans your code at a specified frequency or whenever a specific event occurs, such as opening a pull request or merge request.

Rule updates

Semgrep Supply Chain frequently receives rule updates. To take advantage of these updates, adjust the frequency with which Semgrep Supply Chain scans your codebase. If a rule is updated, findings generated against the revised rule are considered new findings, even if the previous version generated a finding. The new finding is not affected by any triage actions on findings related to the prior version of the rule. Because the finding is new, you’ll also receive notifications through the channels you’ve set up, such as Slack.

Schedule scans

The following table is a summary of methods and resources to set up schedules for different CI providers.
CI providerWhere to set schedule
GitHub ActionsSee Sample CI configs for information on how to modify your semgrep.yml file
GitLab CI/CDRefer to GitLab documentation
JenkinsRefer to Jenkins documentation
Bitbucket PipelinesRefer to Bitbucket documentation
CircleCIRefer to CircleCI documentation
BuildkiteRefer to Buildkite documentation
Azure PipelinesRefer to Azure documentation
SemaphoreRefer to Semaphore documentation

Event-triggered scans

You can configure your CI/CD system to trigger a Semgrep Supply Chain scan whenever one of the following events occurs:
EventScope of scanDependency rule set
Pull request or merge requestDiff-aware scanAll dependency rules
Push or scheduled event, such as a cron jobFull scanAll dependency rules

Dynamic Dependency Resolution (beta) to scan without lockfiles

INFOThis feature is currently in beta. Please contact Semgrep Support for more information.
Semgrep Supply Chain can use Dynamic Dependency Resolution to scan projects without requiring lockfiles. This simplifies the configuration of Supply Chain scans. See Feature support for more information.

CLI Scans, including self-managed CI systems

  1. Ensure that the environment where you run Semgrep scans has installed all of the dependencies required to build your project, such as Java and Maven or Python and pip.
  2. Initiate a Semgrep scan, ensuring that you include the --allow-local-builds flag to enable Semgrep to invoke package managers on the system: 
    semgrep ci --allow-local-builds
    For existing CI jobs, you may have to edit your configuration file to include this flag. This flag allows Semgrep to build the project, if needed, to dynamically resolve dependencies. Semgrep uses the build information included in the pom.xml or build.gradle file to determine the set of dependencies used by the project.

Semgrep Managed Scans

1
Configure private registry credentials in Settings > Integrations. Note that only Maven registries are currently supported for Managed Scans.]
2
Contact Semgrep Support to enable Dynamic Dependency resolution for the necessary repositories.

Run a scan using the CLI

You can start a stand-alone Semgrep Supply Chain scan by running the following command in the CLI: 
semgrep ci --supply-chain
Semgrep prints a list of findings directly to the CLI, including the finding’s reachability determination, severity level, a brief description, and suggested remediation. You can also view your results in Semgrep AppSec Platform. It displays all of the information displayed in the CLI, but it also offers you the ability to:

Scan a monorepo’s dependencies

Semgrep Supply Chain supports the scanning of monorepos. As outlined in Project directory structure, findings are grouped by directory based on the or present in the monorepo.

Block pull requests or merge requests

You can comment on or potentially block pull requests or merge requests by defining a Supply Chain Policy.