Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.semgrep.dev/llms.txt

Use this file to discover all available pages before exploring further.

PREREQUISITEAt least one repository that scans for dependencies through Semgrep Supply Chain. See Scan third-party dependencies.
Generate a software bill of materials (SBOM) to assess your third-party dependencies and comply with auditing procedures. Semgrep Supply Chain (SSC) can generate an SBOM for each repository you have added to Semgrep AppSec Platform. When generating an SBOM, Semgrep uses:
  • The vulnerability information from the default branch for the project
  • The dependency information from the latest full scan for the project.

Supported standards and formats

Semgrep Supply Chain supports the following SBOM formats:
  • CycloneDX 1.4 JSON
  • CycloneDX 1.4 XML

Generate and download an SBOM for a single project

SBOM generation can be performed through Semgrep AppSec Platform or the Semgrep API.
1
In Semgrep AppSec Platform, go to Supply Chain > Dependencies.
2
Click the Download icon next to the repository you want an SBOM for.
3
Click the format you want the SBOM to be in. After clicking, refresh or leave the page only after the SBOM has been generated.
4
Once Semgrep has generated the SBOM, click the link on the toaster notification to download it.
You have successfully downloaded an SBOM.
SUPPLY CHAIN SCANS ON NON-PRIMARY BRANCHESTypically, full scans are run only on primary (default) branches. However, if your workflow differs and you run full scans on non-primary branches, this can create a mismatch between dependencies and vulnerabilities in the generated SBOM. To avoid the mismatch, ensure that the latest full scan runs on the primary branch of the repository for which you want to generate an SBOM.

Generate an SBOM through the API

Refer to the Semgrep API > SBOM documentation.

Semgrep-specific SBOM data fields

In addition to the minimum elements that define an SBOM, Semgrep provides additional metadata in the vulnerabilities field. Nested under the vulnerabilities field is a list of data objects describing a specific vulnerability. Each data object contains the following data fields:
Semgrep-specific fieldDescription
AdvisoriesLinks to GitHub or NIST advisories about the specific vulnerability.
AffectsThe name and version of the package that the vulnerability affects.
AnalysisSemgrep’s analysis of this vulnerability in your supply chain. Under analysis are state and justification fields, which describe if your codebase is affected by the vulnerability and why Semgrep thinks it is or is not affected.
CWEsThe assigned CWE (common weakness enumeration) number.
DescriptionA short description of the vulnerability.
DetailA longer description of the vulnerability, including the affected versions.
RatingsSemgrep Supply Chain’s severity rating of this vulnerability.
ReferencesLinks to the specific CVE. References can come from NIST, Electron release notes, and GitHub Security .
The primary source of this vulnerability’s advisory.
ToolsDetails about Semgrep, the tool used to generate the SBOM.