PREREQUISITEAt least one repository that scans for dependencies through Semgrep Supply Chain. See Scan third-party dependencies.
The following actions are available to you after you’ve assessed the findings:
- Ignore findings that you deem to be false positives, acceptable risks, or deprioritized findings.
- Fix findings that are true positives by:
Ignore findings
The Supply Chain tab allows you to identify reachable true positives so you can fix or resolve the related issues. However, you can ignore any false positives, acceptable risks, or deprioritized findings:1
In Semgrep AppSec Platform, go to Supply Chain.
2
Select one or more findings.
3
Click Triage > Ignored.
4
Provide Comments to describe why you’re ignoring the selected findings.
5
Click Submit.
Fix findings that are true positives
To fix findings that are true positives in Semgrep Supply Chain, you can:- Remove the dependency and refactor the codebase to remove all usage.
- Update the dependency to a safe version that does not contain the vulnerability.