- Use Autofix and have Semgrep open a pull request (PR) or merge request (MR) that updates the dependency to a fixed version. If the update is a breaking change, Semgrep provides guidance on how to handle it in the PR or MR description.
- Create a Jira ticket to track further work on the finding.
- Set the finding’s triage status as To fix
Prerequisites
Upgrade guidance and Autofix are supported for:- JavaScript projects
- Python projects that use the following package managers:
pippip-toolspipenvpoetryuv
- GitHub Cloud
- GitLab Cloud
- Public
npmand PyPI registries - Private PyPI registries
Feature availability
To access all Upgrade guidance and Autofix features, you must have:- Enabled Upgrade guidance in Semgrep AppSec Platform by going to Settings > General > Supply Chain, then clicking the Upgrade guidance & Autofix toggle.
- At least one repository with full Semgrep Supply Chain scans.
- Semgrep Multimodal enabled.
- Granted Semgrep Read and write access to your repository. See Grant read and write access.
- GitHub users must have the private GitHub app for Semgrep installed. The app must grant Read and write access for the Contents scope to open Autofix PRs. Existing customers must manually enable this permission if they have not already done so.
- Autofix PRs for Supply Chain use the same private GitHub App Contents: Read and write permission as Autofix for Semgrep Code. See Grant code access to Semgrep with a private GitHub app for setup steps. For GitHub Autofix API details, see Autofix permissions.
- GitHub users must have the private GitHub app for Semgrep installed. The app must grant Read and write access for the Contents scope to open Autofix PRs. Existing customers must manually enable this permission if they have not already done so.
- Optionally: if you have a private registry, connect it to Semgrep to improve results.
| Semgrep features available | Read and write access on the contents scope granted | Code access granted to Semgrep through installation of the private GitHub app | Semgrep Multimodal enabled | Private registry connected to Semgrep | |
|---|---|---|---|---|---|
All Autofix and Upgrade guidance features, including:
| |||||
All Autofix and Upgrade guidance features, but not for dependencies in a private registry:
| The private registry is not connected to Semgrep | ||||
Autofix, but not for dependencies in a private registry:
| The private registry is not connected to Semgrep | ||||
All Upgrade guidance features, including:
| |||||
All Upgrade guidance features, but not for dependencies in a private registry:
| The private registry is not connected to Semgrep |
How Upgrade guidance works
After you turn on Upgrade guidance, Semgrep performs post-scan analysis on your existing results and marks applicable findings as either Safe to upgrade or with Breaking changes.- This analysis is performed after every full scan.
- Only findings with dependencies that have fixed versions that resolve the vulnerability are marked by Semgrep as Safe to upgrade or with Breaking changes.
- Findings without any fixed versions say no patch available. They do not have a badge.

Review a finding’s Upgrade guidance
To view detailed information about a finding in Semgrep AppSec Platform, use the navigation bar to go to the Supply Chain page. Click the finding to open its Details page. The Details page is divided into several panels:- General information:
- The name of the package and a description of the finding
- Its reachability, whether it is direct or transitive, its CVE number, EPSS, and severity
- Its remediation version, if any
- Links to references
- A badge indicating if it can cause breaking changes or not (beta)
- Branch and finding history information
- Branches where the finding appears
- Where it was first detected
- AI analysis, if available
- Graphs and code:
- Your code: the source file in which a match was detected; the highlight indicates where the match was found
- Dependency path: displays the path of dependencies; useful when analyzing transitive dependencies
- Pattern and Rule: the pattern and rule logic that determined the match
Open a PR or MR with fixes
After reviewing a finding’s Upgrade guidance, you can open a pull request or merge request to upgrade the dependency to a safe version: The newly created PR or MR includes the following:- The lockfile or manifest file changes needed to upgrade the dependency.
- The context necessary for developers to fix potentially breaking changes in the PR or MR’s description. This includes:
- A summary including the severity and reachability of the finding and the specific version of the dependency that the PR upgrades to.
- details, including a description of the vulnerability and links to its CVE references.
- Upgrade guidance that includes the files and functions in the code that make use of the dependency and might include breaking changes.
- references, such as release notes, changelogs, and commits of the dependency, which might be helpful to resolve the breaking changes.