For language-level coverage and feature maturity, see Supported languages. For some languages, a lockfile or manifest file is required to accurately to determine . See Transitive dependencies and reachability analysis for more information. The following table lists all Semgrep-supported package managers for each language. Languages with reachability support are listed first.Documentation Index
Fetch the complete documentation index at: https://docs.semgrep.dev/llms.txt
Use this file to discover all available pages before exploring further.
| Language | Supported package managers | Manifest file or lockfile |
|---|---|---|
| C# | NuGet | .csproj |
| Go | Go modules (go mod) | go.mod |
| Java | Gradle | gradle.lockfile or build.gradle or
build.gradle.kts through Dynamic
Dependency Resolution. |
| Maven | Maven-generated dependency tree (see Setting up SSC scans for Apache Maven for instructions) or pom.xml through Dynamic
Dependency Resolution. | |
| JavaScript or TypeScript | npm | package-lock.json |
| Yarn | yarn.lock | |
| pnpm | pnpm-lock.yaml | |
| Kotlin | Gradle | gradle.lockfile |
| Maven | Maven-generated dependency tree (See Setting up SSC scans for Apache Maven for instructions.) | |
| Python | pip | A
|
| pip-tools | ||
| Pipenv | Pipfile.lock | |
| Poetry | poetry.lock | |
| uv | uv.lock | |
| Ruby | RubyGems | Gemfile.lock |
| Scala | Maven | Maven-generated dependency tree (See Setting up SSC scans for Apache Maven for instructions.) |
| Swift | SwiftPM | Package.swift file and Swift-generated Package.resolved file. (See Swift documentation for instructions.) |
| Rust | Cargo‡ | cargo.lock |
| Dart | Pub | pubspec.lock |
| Elixir | Hex | mix.lock |
| PHP | Composer | composer.lock |
requirements.txt as a lockfile with Pip-compiled output and fully pinned dependencies or as a manifest file with more flexible specifiers. If your requirements.txt file doesn’t use pinned dependencies exclusively, use the --allow-local-builds flag when invoking your scan. This ensures that the dependencies using non-exact version specifiers, such as >=, >, ~=, are included in the dependency graph. Otherwise, Semgrep ingests only pinned (==) dependencies.
‡Supply Chain does not analyze the transitivity of packages for these language and manifest file or lockfile combinations. All dependencies are listed as No Analysis.