> ## Documentation Index
> Fetch the complete documentation index at: https://docs.semgrep.dev/llms.txt
> Use this file to discover all available pages before exploring further.

# Detect and remove malicious dependencies

**Malicious dependencies** are dangerous packages, or dangerous versions of packages, that are designed to compromise systems. These threats include packages that have always been malicious, such as typo-squatting attacks, or packages that become malicious after an attacker compromises a maintainer or injects harmful code. They are also known as malware.

Semgrep can detect malicious dependencies in your projects and pull requests (PRs) or merge requests (MRs).

## Supported package managers

The following table lists the languages for which Supply Chain can detect malicious dependencies.

| Language   | <Tooltip tip="Software that interacts with a package registry to download, upload, or search for dependencies. Package managers typically generate manifest files or lockfiles." cta="See full definition." href="/semgrep-supply-chain/glossary#package-manager">Package manager</Tooltip> or ecosystem |
| :--------- | :------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| C#         | NuGet                                                                                                                                                                                                                                                                                                    |
| Go         | `go.mod`                                                                                                                                                                                                                                                                                                 |
| Java       | Gradle, Maven                                                                                                                                                                                                                                                                                            |
| JavaScript | npm                                                                                                                                                                                                                                                                                                      |
| PHP        | Composer                                                                                                                                                                                                                                                                                                 |
| Python     | PyPi                                                                                                                                                                                                                                                                                                     |
| Ruby       | RubyGems                                                                                                                                                                                                                                                                                                 |
| Rust       | `cargo.lock`                                                                                                                                                                                                                                                                                             |
| TypeScript | npm                                                                                                                                                                                                                                                                                                      |

## Enabling malicious dependency rules

To include malicious dependency rules in your Supply Chain scan, navigate to **Settings > Supply Chain** and enable **Malicious dependency advisories**.

You can also use this setting to disable malicious dependency scanning for your Semgrep organization.

## Malicious dependency findings

Malicious dependency findings are treated as **critical severity** findings.

If you set up your Supply Chain [policies](https://semgrep.dev/orgs/-/policies/supply-chain) to block critical severity findings, malicious dependency findings block a PR or MR in the same way as any other Supply Chain finding.

From the Supply Chain policies page, you can also configure a policy to trigger conditionally based on whether a dependency is marked **Malicious**.

## View malicious dependencies

Malicious dependencies appear in the [**Supply Chain**](https://semgrep.dev/orgs/-/supply-chain/vulnerabilities?primary=true\&tab=open\&last_opened=All+time) tab, alongside other Supply Chain findings. They are denoted by the **MAL** badge.

To view malicious dependencies detected in your projects:

<Steps>
  <Step>
    Navigate to [Supply Chain](https://semgrep.dev/orgs/-/supply-chain).
  </Step>

  <Step>
    Click the **filters** icon and enable the **Malicious dependency** filter.
  </Step>

  <Step>
    Review the results listed. Click **Details** to learn more about available remediation guidance.
  </Step>
</Steps>

## Triage and remediation for malicious dependencies

* If there is no fix available, **remove** the malicious dependency from your codebase and re-run a Supply Chain scan.
* If there is a safe version to update to, fix the finding by updating the dependency. Then, re-run a Supply Chain scan.
* You can apply [any Semgrep triage state](/semgrep-supply-chain/triage-and-remediation#ignore-findings), such as **Ignored**, though this is not recommended.

<Warning>
  **CAUTION**

  If you have configured your policies to display malicious dependency findings to your developers, and you have enabled **Settings > General > Global > Triage via code review comments**, your developers are able to triage these findings as **Ignored**.
</Warning>

## Create Jira tickets for malicious dependency findings

Semgrep provides a Jira integration option that lets you create Jira tickets for malicious dependency findings across any branch, not just the primary branch. This capability enables developers to respond immediately when a malicious package is detected.

To enable Jira ticket creation for malicious dependencies:

<Steps>
  <Step>
    Navigate to **Settings > Integrations > Jira**.
  </Step>

  <Step>
    Select the option to **Automatically create tickets for malicious dependency findings on any branch**.
  </Step>
</Steps>

## Advisories for malicious dependencies

You can view all the malicious dependencies that Semgrep can detect. To do so:

<Steps>
  <Step>
    Sign in to [<Icon icon="external-link" iconType="solid" /> Semgrep AppSec Platform](https://semgrep.dev/login) and go to [**Rules & Policies > Advisories**](https://semgrep.dev/orgs/-/advisories).
  </Step>

  <Step>
    Find the **Advisory type** filter, and select **<Icon icon="square-check" iconType="solid" /> Malicious**.
  </Step>
</Steps>

Currently, advisories for malicious dependencies are generated automatically and use the package name and version to identify the dependency. In some cases, the advisory indicates that only specific sources of the dependency have been compromised. If you do not use those sources and have never done so, then it may be appropriate to mark the findings for that advisory as ignored.
