Announcing Semgrep Supply Chain’s beta support for C#

Semgrep Supply Chain is an open-source dependency scanner designed to minimize false positives by employing reachability analysis, which has been well-received by the security community since its launch. It notably helped companies like Thinkific reduce false positives by over 85%. Recently, it expanded support to include C# in beta and PHP for lockfile-only, with C# users gaining the ability to scan for vulnerabilities in dependencies. The integration with NuGet, a package manager featuring over 370,000 packages and receiving about 3 million weekly downloads, enhances security and compliance for developers in the C# and .NET ecosystem. Unlike most SCA tools, which only flag the use of vulnerable libraries, Semgrep Supply Chain identifies vulnerabilities that are actually reachable, meaning the application uses a vulnerable method within a library. In addition to dependency scanning, the Semgrep platform also offers Semgrep Code, a static analysis security testing (SAST) tool, and Semgrep Secrets for scanning accidentally committed secrets, both available for free trial.