Skip to main content
Once Semgrep Supply Chain successfully scans your repository and you’ve viewed your results, you can assess, triage, and fix the findings presented in Semgrep AppSec Platform using the Supply Chain page.
PREREQUISITEAt least one repository that scans for dependencies through Semgrep Supply Chain. See Scan third-party dependencies.
Semgrep provides the following methods to help you evaluate your findings:
Assessment actionMethod
Filter findings.In Semgrep AppSec Platform > Supply Chain page, click any filter.
View specific CVE entries on cve.org.Click the Supply Chain finding’s CVE badge.
View specific pattern matches in your codebase.View a Supply Chain finding’s Details page.
View the dependency path for a transitive dependency.View the Supply Chain finding’s Details page.
View safe versions to upgrade your dependencies.View the Supply Chain finding’s Details page.
The following actions are available to you after you’ve assessed the findings:

Ignore findings

The Supply Chain tab allows you to identify reachable true positives so you can fix or resolve the related issues. However, you can ignore any false positives, acceptable risks, or deprioritized findings:
1
In Semgrep AppSec Platform, go to Supply Chain.
2
Select one or more findings.
3
Click Triage > Ignored.
4
Provide Comments to describe why you’re ignoring the selected findings.
5
Click Submit.

Fix findings that are true positives

To fix findings that are true positives in Semgrep Supply Chain, you can:
  • Remove the dependency and refactor the codebase to remove all usage.
  • Update the dependency to a safe version that does not contain the vulnerability.

Remove the dependency and refactor the code

You can remove a dependency that introduces a security vulnerability, then refactor your project to remove all usage of that dependency. Supply Chain scans the pull request or merge request with these changes, detects the updates to your lockfile or manifest file, and updates the status of the finding to Fixed.

Upgrade guidance and Autofix (beta)

Upgrade guidance uses program analysis and AI to analyze the results of your Semgrep scans to see if you can safely and reliably update a vulnerable package or dependency to a fixed version. With the information from Upgrade guidance, Autofix can open pull requests and merge requests that update the version used by your project and guide you through any breaking changes the update introduces. See Upgrade guidance and Autofix for more information.