> ## Documentation Index
> Fetch the complete documentation index at: https://docs.semgrep.dev/llms.txt
> Use this file to discover all available pages before exploring further.

# Triage and fix Supply Chain findings

Once Semgrep Supply Chain successfully scans your repository and you've [viewed your results](/semgrep-supply-chain/findings), you can assess, triage, and fix the findings presented in Semgrep AppSec Platform using the **Supply Chain** page.

<Info>
  **PREREQUISITE**

  At least one repository that scans for dependencies through Semgrep Supply Chain. See [Scan third-party dependencies](/semgrep-supply-chain/set-up-and-configure).
</Info>

Semgrep provides the following methods to help you evaluate your findings:

| Assessment action                                                                                                      | Method                                                                |
| :--------------------------------------------------------------------------------------------------------------------- | :-------------------------------------------------------------------- |
| Filter findings.                                                                                                       | In **Semgrep AppSec Platform > Supply Chain** page, click any filter. |
| View specific CVE entries on <a href="https://www.cve.org/">cve.org</a>.                                               | Click the Supply Chain finding's <strong>CVE badge</strong>.          |
| View specific pattern matches in your codebase.                                                                        | View a Supply Chain finding's **Details** page.                       |
| View the [dependency path for a transitive dependency](/semgrep-supply-chain/dependency-search#dependency-paths-beta). | View the Supply Chain finding's **Details** page.                     |
| View safe versions to upgrade your dependencies.                                                                       | View the Supply Chain finding's **Details** page.                     |

The following actions are available to you after you've assessed the findings:

* [Ignore findings](#ignore-findings) that you deem to be false positives, acceptable risks, or deprioritized findings.
* [Fix findings that are true positives](#fix-findings-that-are-true-positives) by:
  * [Removing the dependency and refactoring the code](#remove-the-dependency-and-refactor-the-code).
  * [Using Upgrade guidance and Autofix to update the dependency to a safe version](#using-upgrade-guidance-and-autofix-to-update-the-dependency-to-a-safe-version).

## Ignore findings

The **Supply Chain** tab allows you to identify reachable true positives so you can fix or resolve the related issues. However, you can ignore any false positives, acceptable risks, or deprioritized findings:

<Steps>
  <Step>
    In Semgrep AppSec Platform, go to [**Supply Chain**](https://semgrep.dev/orgs/-/supply-chain).
  </Step>

  <Step>
    Select one or more findings.
  </Step>

  <Step>
    Click **Triage > Ignored**.
  </Step>

  <Step>
    Provide **Comments** to describe why you're ignoring the selected findings.
  </Step>

  <Step>
    Click **Submit**.
  </Step>
</Steps>

## Fix findings that are true positives

To fix findings that are true positives in Semgrep Supply Chain, you can:

* Remove the dependency and refactor the codebase to remove all usage.
* Update the dependency to a safe version that does not contain the vulnerability.

### Remove the dependency and refactor the code

You can remove a dependency that introduces a security vulnerability, then refactor your project to remove all usage of that dependency. Supply Chain scans the pull request or merge request with these changes, detects the updates to your lockfile or manifest file, and updates the status of the finding to **Fixed**.

### Upgrade guidance and Autofix (beta)

**Upgrade guidance** uses program analysis and AI to analyze the results of your Semgrep scans to see if you can safely and reliably update a vulnerable package or dependency to a fixed version.

With the information from Upgrade guidance, **Autofix** can open pull requests and merge requests that update the version used by your project and guide you through any breaking changes the update introduces.

See [Upgrade guidance and Autofix](/semgrep-supply-chain/triage-and-fix/upgrade-guidance-and-autofix) for more information.
