Expanding Semgrep Supply Chain into Dependency Intelligence and License Compliance

tl;dr Today, we have added two new features that make our Semgrep Supply Chain product more powerful: Dependency Search and License Compliance.

Here's a preview:
Dependency Search in action

Introduction

We launched Semgrep Supply Chain last fall, with a vision of never seeing a "1644 vulnerable dependencies" alert again. In case you missed that launch: Using Semgrep's static analysis engine, Semgrep Supply Chain filters out over 98% of alerts, leaving you with a manageable list of vulnerabilities to worry about.

Since then, we've written 1,241 rules for Semgrep Supply Chain (and we add more every day!), covering all high and critical severity CVEs announced for npm, PyPI, Maven, RubyGems, and Golang packages over the past year. We've been delighted to see the overwhelmingly positive feedback from organizations already managing their supply chain security via Semgrep. Jessica Grider, Sr. DevSecOps Engineer at Policygenius, shared her 'eureka' moment with Semgrep Supply Chain because she was able to pinpoint a specific vulnerable function being used across projects, and the developers promptly resolved the issue across numerous repositories. This was something they were unable to achieve with other software composition analysis (SCA) tools. 

Through our experience with early adopters like Policygenius, Vanta, and others, we’ve seen the value that reachability analysis brings to the table. But we know that securing the software supply chain doesn’t stop there. What about vulnerabilities that have no associated CVEs, or dependencies with non-compliant licenses? These issues can have huge consequences, as Panasonic Avionics Corporation found out! 

So today, we’re launching two new features: Dependency Search and License Compliance, as part of our broader shift toward helping users gain more insights into their dependencies. One of our biggest learnings since launching Semgrep Supply Chain was that it’s not enough for security teams to just filter through open vulnerabilities. It’s also important to address the problem at the source by understanding why there are so many. 

Dependency Search

Dependency Search allows you to query across your entire codebase for any dependency at any version, on-demand. Semgrep scans your lockfile and stores the content it scans so that you can get the most up-to-date dependency information whenever you want. Most importantly, this empowers you to look up anything you want, letting you investigate vulnerable packages in your codebase even before CVE disclosure.

Shortly after release, our users were able to find value quickly. One of our beta users–a Fortune 100 company–leveraged it to find instances in their codebase where vm2 (CVSS 10.0) might’ve been used, even before the CVE was disclosed. This allowed their security team to expedite their investigation and close any gaps before the vulnerability could be exploited. 

In another instance, one of our users leveraged Dependency Search in their day-to-day investigations to identify where to upgrade all instances of packages that were flagged as SCA issues; this helped them reduce the manual work it would’ve taken to do so otherwise. Say no to tedium!

License Compliance

License Compliance is an essential part of most AppSec programs, especially with companies where distributed code products can’t have any copyleft licenses used. Semgrep Supply Chain’s License Compliance enables you to 1) configure non-compliant licenses that block during pull requests (PR, available only for GitHub) and 2) visibility into license composition for all your dependencies.

License Compliance configuration in Settings

License Compliance in Semgrep Supply Chain

Checking for license compliance issues is as easy as selecting Comment or Block on a license type in Settings – that’s it! Developers who include changes to a lockfile with a new package will be notified via PR comments if that package contains a non-compliant license type.

Configuring policies for License Compliance

License Compliance will be available as a public beta for all supported languages on Semgrep Supply Chain, except for Ruby. We don’t expect folks to leverage us fully for their legal review, but we hope it helps build awareness of legal constraints in software development.

Recap

Semgrep Supply Chain launched last fall with the promise of cutting through false positives and reducing the number of open source vulnerabilities you have to triage. We have delivered on that promise but also learned that addressing supply chain issues requires a lot more than just what we have today. There isn’t a one-size-fits-all paradigm for SAST or SCA, so we’re committed to continue building out tools to empower users to do what’s best for them. We’re starting out with Dependency Search and License Compliance today, but keep your eyes peeled for even more exciting things we have brewing. Visit the product page to learn more about Semgrep Supply Chain, or sign up to get started today!