PREREQUISITEAt least one repository that scans for dependencies through Semgrep Supply Chain. See Scan third-party dependencies.
| Assessment action | Method |
|---|---|
| Filter findings. | In Semgrep AppSec Platform > Supply Chain page, click any filter. |
| View specific CVE entries on cve.org. | Click the Supply Chain finding’s CVE badge. |
| View specific pattern matches in your codebase. | View a Supply Chain finding’s Details page. |
| View the dependency path for a transitive dependency. | View the Supply Chain finding’s Details page. |
| View safe versions to upgrade your dependencies. | View the Supply Chain finding’s Details page. |
- Ignore findings that you deem to be false positives, acceptable risks, or deprioritized findings.
- Fix findings that are true positives by:
Ignore findings
The Supply Chain tab allows you to identify reachable true positives so you can fix or resolve the related issues. However, you can ignore any false positives, acceptable risks, or deprioritized findings:In Semgrep AppSec Platform, go to Supply Chain.
Fix findings that are true positives
To fix findings that are true positives in Semgrep Supply Chain, you can:- Remove the dependency and refactor the codebase to remove all usage.
- Update the dependency to a safe version that does not contain the vulnerability.