Exploit exploitability: prioritize supply chain findings with EPSS

The integration of the Exploit Prediction Scoring System (EPSS) into Semgrep Supply Chain provides a powerful tool for prioritizing the remediation of security vulnerabilities by assigning dynamic scores that are updated daily, reflecting the likelihood of exploitation within the next 30 days. Developed by the Forum of Incident Response and Security Teams (FIRST), EPSS uses a machine learning model that draws on real-world data to help security teams focus on vulnerabilities that pose the most immediate risk. Although not customized for individual codebases, EPSS serves as a critical prioritization tool alongside Semgrep's dataflow reachability analysis, which reduces false positives by over 90% and enables teams to address the most actionable findings. While EPSS effectively predicts exploitation likelihood, it does not guarantee future exploits or assess vulnerability severity, thus it should be used in conjunction with other tools like CVSS for a comprehensive security strategy. By leveraging EPSS and Semgrep's capabilities, security teams can strategically allocate resources, focusing on the most pressing vulnerabilities, and ensure remediation efforts are impactful.