Documentation Index
Fetch the complete documentation index at: https://docs.semgrep.dev/llms.txt
Use this file to discover all available pages before exploring further.
Lockfiles and manifest files
For projects with lockfiles, Semgrep parses lockfiles for dependencies, then scans your codebase for reachable findings based on the lockfiles. For a lockfile to be scanned by Semgrep Supply Chain, it must have one of the supported lockfile names. For some languages, a lockfile or manifest file is required to determine . See Transitive dependencies and reachability analysis for more information. Additionally, Semgrep offers beta support for the scanning of projects written in the following languages without lockfiles using Dynamic Dependency Resolution. See the following table for more information.Supply Chain features for each language
The following table lists all Supply Chain features for each language. Languages with reachability support are listed first.| Language | Reachability (see CVE coverage) | Scan without lockfiles (beta) | License detection | Malicious dependency detection |
|---|---|---|---|---|
| C# | ✅ | ✅ CI and CLI only | ✅ | ✅ |
| Go | ✅ | — | ✅ | ✅ |
| Java | ✅ | ✅ | ✅ | — |
| JavaScript or TypeScript | ✅ | — | ✅ | ✅ |
| Kotlin | ✅ | ✅ | ✅ | — |
| Python | ✅ | ✅setup.py in CLI or CI | ✅ For PyPi only | ✅ |
| Ruby | ✅ | — | ✅ | ✅ |
| Scala | ✅ | ✅ SBT in CLI or CI | ✅ | — |
| Swift | ✅ | — | ✅† | — |
| PHP | ✅ | — | ✅ | — |
| Rust | No reachability analysis. However, Semgrep can compare a package’s version against a list of versions with known vulnerabilities. | — | ✅ | ✅ |
| Dart | — | — | — | |
| Elixir | — | — | — |