It's time to ignore 98% of dependency alerts. Introducing Semgrep Supply Chain.

Semgrep Supply Chain is a high-signal dependency scanner designed to address the challenges posed by false positives in traditional Software Composition Analysis (SCA) tools, which often generate overwhelming alerts that are mostly ignored due to their inaccuracy. By integrating Semgrep's first-party code analysis with dependency analysis, Semgrep Supply Chain focuses on the small percentage of vulnerabilities that are actually reachable within an organization's code, thereby enabling security teams to prioritize critical issues effectively. This tool scans lockfiles to determine if vulnerable package versions are in use and employs reachability analysis to identify dangerous usage of such packages, supported by curated rules from its security research team. Acknowledging the reality of limited resources and the need for pragmatic solutions, Semgrep Supply Chain aims to reduce the manual triage burden, allowing security teams to concentrate on vulnerabilities that pose real threats, and it supports multiple programming languages, including Go, JavaScript/TypeScript, Python, and Ruby, with more to be added.