rewrite Supply Chain Overview and update nav bar#2650
Open
khorne3 wants to merge 5 commits into
Open
Conversation
Contributor
|
Preview deployment for your docs. Learn more about Mintlify Previews.
|
6 tasks
abhijna
approved these changes
Jun 4, 2026
| @@ -3,96 +3,113 @@ title: "Overview" | |||
| description: "Semgrep Supply Chain is a software composition analysis (SCA) tool that detects security vulnerabilities in your codebase introduced by open source dependencies. It can also:" | |||
Collaborator
There was a problem hiding this comment.
Suggested change
| description: "Semgrep Supply Chain is a software composition analysis (SCA) tool that detects security vulnerabilities in your codebase introduced by open source dependencies. It can also:" | |
| description: "Semgrep Supply Chain is a software composition analysis (SCA) tool that detects security vulnerabilities in your codebase introduced by open source dependencies. | |
| It can also:" |
| @@ -3,96 +3,113 @@ title: "Overview" | |||
| description: "Semgrep Supply Chain is a software composition analysis (SCA) tool that detects security vulnerabilities in your codebase introduced by open source dependencies. It can also:" | |||
| --- | |||
| * Support the enforcement of your business' [open source package licensing requirements](/semgrep-supply-chain/license-compliance) | ||
| * Detect malicious dependencies | ||
| - Assist with the triage and remediation of security issues | ||
| - Prevent future security issues from the introduction and use of insecure packages |
Collaborator
There was a problem hiding this comment.
Suggested change
| - Prevent future security issues from the introduction and use of insecure packages | |
| - Prevent future security issues that may arise when insecure packages are introduced or used. |
|
|
||
| Semgrep Supply Chain detects [security vulnerabilities](https://nvd.nist.gov/vuln/full-listing) in your codebase introduced by open source dependencies using high-signal rules, which are instructions Semgrep uses detect patterns in code, to determine the vulnerability's <Tooltip tip="Whether a vulnerable code pattern from a dependency is used in the codebase that imports it. Semgrep Supply Chain requires both a vulnerable version and a matching pattern for reachability." cta="See full definition." href="/semgrep-supply-chain/glossary#reachability">reachability</Tooltip>. | ||
| Semgrep Supply Chain detects [security | ||
| vulnerabilities](https://nvd.nist.gov/vuln/full-listing) in your codebase introduced by open source dependencies using high-signal rules, which are instructions Semgrep uses detect patterns in code, to determine the vulnerability's <Tooltip tip="Whether a vulnerable code pattern from a dependency is used in the codebase that imports it. Semgrep Supply Chain requires both a vulnerable version and a matching pattern for reachability." cta="See full definition." href="/semgrep-supply-chain/glossary#reachability">reachability</Tooltip>. |
Collaborator
There was a problem hiding this comment.
Suggested change
| vulnerabilities](https://nvd.nist.gov/vuln/full-listing) in your codebase introduced by open source dependencies using high-signal rules, which are instructions Semgrep uses detect patterns in code, to determine the vulnerability's <Tooltip tip="Whether a vulnerable code pattern from a dependency is used in the codebase that imports it. Semgrep Supply Chain requires both a vulnerable version and a matching pattern for reachability." cta="See full definition." href="/semgrep-supply-chain/glossary#reachability">reachability</Tooltip>. | |
| Semgrep Supply Chain detects vulnerabilities in your codebase introduced by open-source dependencies. It uses high-signal rules to detect patterns in your code, so you can understand the [vulnerabilities](https://nvd.nist.gov/vuln/full-listing) and whether they are <Tooltip tip="Whether a vulnerable code pattern from a dependency is used in the codebase that imports it. Semgrep Supply Chain requires both a vulnerable version and a matching pattern for reachability." cta="See full definition." href="/semgrep-supply-chain/glossary#reachability">reachable</Tooltip>. |
Collaborator
There was a problem hiding this comment.
Trying to make it less dense but I'm not a fan of this wording either. I'll leave it to your judgement
| * A finding is **conditionally reachable** if the vulnerability can be exploited when specific conditions are met. The finding is reachable if, in addition to the dataflow reachability in code, additional factors, such as the use of a specific operating system, are met. Semgrep cannot determine whether such factors are true, so conditionally reachable findings require manual review. | ||
| * If Supply Chain determines that you don't use the vulnerable library package imported or you don't use the vulnerable piece of code of the library or package imported, the finding is flagged as **unreachable**. | ||
| * If Supply Chain determines that you use a vulnerable version of a dependency, but Supply Chain doesn't have a relevant reachability rule, it flags the finding as **no reachability analysis**. | ||
| * For **languages where Supply Chain doesn't currently offer <Tooltip tip="Rules that perform reachability analysis to determine if a vulnerable code pattern from a dependency is used in the codebase." cta="See full definition." href="/semgrep-supply-chain/glossary#reachability-rules">reachability rules</Tooltip>** languages, Supply Chain's performance is comparable to that of [GitHub's Dependabot](https://github.com/dependabot). Supply Chain generates these findings by checking the dependency's version against a list of versions with known vulnerabilities, but it does not run reachability analysis. Because Supply Chain doesn't run reachability analysis, it can't determine whether the vulnerability is reachable. Such vulnerabilities are, therefore, flagged as **no reachability analysis**. |
Collaborator
There was a problem hiding this comment.
Suggested change
| * For **languages where Supply Chain doesn't currently offer <Tooltip tip="Rules that perform reachability analysis to determine if a vulnerable code pattern from a dependency is used in the codebase." cta="See full definition." href="/semgrep-supply-chain/glossary#reachability-rules">reachability rules</Tooltip>** languages, Supply Chain's performance is comparable to that of [GitHub's Dependabot](https://github.com/dependabot). Supply Chain generates these findings by checking the dependency's version against a list of versions with known vulnerabilities, but it does not run reachability analysis. Because Supply Chain doesn't run reachability analysis, it can't determine whether the vulnerability is reachable. Such vulnerabilities are, therefore, flagged as **no reachability analysis**. | |
| * For **languages where Supply Chain doesn't currently offer <Tooltip tip="Rules that perform reachability analysis to determine if a vulnerable code pattern from a dependency is used in the codebase." cta="See full definition." href="/semgrep-supply-chain/glossary#reachability-rules">reachability rules</Tooltip>**, Supply Chain's performance is comparable to that of [GitHub's Dependabot](https://github.com/dependabot). Supply Chain generates these findings by checking the dependency's version against a list of versions with known vulnerabilities, but it does not run reachability analysis. Because Supply Chain doesn't run reachability analysis, it can't determine whether the vulnerability is reachable. Such vulnerabilities are, therefore, flagged as **no reachability analysis**. |
|
|
||
| A <Tooltip tip="A dependency of a dependency. If your codebase uses dependency A, and A depends on B, then B is a transitive dependency." cta="See full definition." href="/semgrep-supply-chain/glossary#transitive-or-indirect-dependency">transitive dependency</Tooltip>, also known as an indirect dependency, is a dependency of a dependency. Supply Chain scans transitive dependencies for [all supported languages](/supported-languages#semgrep-supply-chain), looking for security vulnerabilities, but it does *not* perform reachability analysis. This means that Supply Chain doesn't check the source code of your project's dependencies to determine if their dependencies produce a reachable finding in your code. | ||
|
|
||
| However, some dependencies are vulnerable simply through their inclusion in a codebase; in such cases, Supply Chain generates reachable findings involving these dependencies, even if they're transitive, not direct, dependencies. |
Collaborator
There was a problem hiding this comment.
Suggested change
| However, some dependencies are vulnerable simply through their inclusion in a codebase; in such cases, Supply Chain generates reachable findings involving these dependencies, even if they're transitive, not direct, dependencies. | |
| However, some dependencies are vulnerable simply by their inclusion in a codebase; in such cases, Supply Chain generates reachable findings for these dependencies, even if they're transitive rather than direct dependencies. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Porting changes to the Supply Chain Overview from #2626 to here due to Mintlify migration.
This PR also updates the navbar as a start for the updated navigation.
Please ensure:
main)