Skip to main content
Semgrep Supply Chain’s dependency search allows you to query for and view any in your project. This feature detects all transitive and direct dependencies across all of your projects in Semgrep AppSec Platform. Additionally, the dependency search results list all versions of a dependency and the projects that use it. You can use dependency search even for newly discovered vulnerabilities that might not yet have a formal CVE or Supply Chain rule. You can also use dependency search to view all versions of a dependency, which can be useful for standardization.
PREREQUISITEAt least one project (a repository or subfolder in a monorepo) that scans for dependencies through Semgrep Supply Chain. See Scan third-party dependencies.
2
Go to Settings > General > Supply Chain.
3
Click search if it’s not already enabled.
4
Navigate to Supply Chain > Dependencies.
Semgrep displays the manifest files or lockfiles that it used to determine dependency information and the dependencies included in each of the manifest files or lockfiles.

View additional manifest files or lockfiles

By default, Semgrep only displays dependencies listed in a given project’s first 10 manifest files or lockfiles. To load information from additional files:
2
Navigate to Supply Chain > Dependencies, and scroll to the bottom of the page.
3
Click Fetch more lockfiles.

Search for dependencies

2
Navigate to Supply Chain > Dependencies.
3
Using the search bar, enter the name of the dependency you are searching for.
4
Optional: Apply filters as necessary for your search.

Filter results by version number

To filter your results by version number, enter the dependency name and press Enter or Return. This returns a list of matches, but you can then filter your results further by version number:
1
Click the name of your dependency to open the dialog:
1
To search for a specific version of a package, click Exact match, then enter the version number.
2
To search for a range of versions, click Range, then enter the minimum and maximum versions.
2
Click Apply to save your changes and see your results.
You can also use the Advanced search to search for specific versions of dependencies:
1
Click Advanced search.
2
Enter the name.
3
To specify a version number, click Exact match. For a range, click Range and provide the minimum and maximum versions.
1
Optional: to search for a specific version of a package, click Exact match, then enter the version number.
2
Optional: to search for a range of versions, click Range, then enter the minimum and maximum versions.
You can search for multiple packages simultaneously.

Search filters

search provides the following filters, which correspond to the data points displayed by Semgrep about each dependency:
FilterDescription
The name and version of the dependency.
ProjectsThe projects where the dependency can be found.
The relationship of the dependency to your codebase.
License The License you set. Determines whether a dependency can be used based on its license.
LicenseThe dependency’s license type.
LanguageThe language of the dependency.