Supported languages and package managers
Supply Chain begins the scan process by parsing the manifest file or lockfile. For projects without a lockfile or an incomplete lockfile, Supply Chain’s Dynamic Dependency Resolution provides a complete inventory of dependencies. This article lists the requirements for both projects with and without lockfiles, as well as the features available to you based on your project’s language and package manager.Language and package manager support
See Supported languages for language-level coverage and feature maturity. For some languages, a lockfile or manifest file is required to accurately to determine . See Transitive dependencies and reachability analysis for more information. The following table lists all Semgrep-supported package managers for each language. Languages with reachability support are listed first.| Language | Supported package managers | Manifest file or lockfile |
|---|---|---|
| C# | NuGet | .csproj |
| Go | Go modules (go mod) | go.mod |
| Java | Gradle | gradle.lockfile or build.gradle or
build.gradle.kts through Dynamic
Dependency Resolution. |
| Maven | Maven-generated dependency tree (see Setting up SSC scans for Apache Maven for instructions) or pom.xml through Dynamic
Dependency Resolution. | |
| JavaScript or TypeScript | npm | package-lock.json |
| Yarn | yarn.lock | |
| pnpm | pnpm-lock.yaml | |
| Kotlin | Gradle | gradle.lockfile |
| Maven | Maven-generated dependency tree (See Setting up SSC scans for Apache Maven for instructions.) | |
| Python | pip | A
|
| pip-tools | ||
| Pipenv | Pipfile.lock | |
| Poetry | poetry.lock | |
| uv | uv.lock | |
| Ruby | RubyGems | Gemfile.lock |
| Scala | Maven | Maven-generated dependency tree (See Setting up SSC scans for Apache Maven for instructions.) |
| Swift | SwiftPM | Package.swift file and Swift-generated Package.resolved file. (See Swift documentation for instructions.) |
| Rust | Cargo‡ | cargo.lock |
| Dart | Pub | pubspec.lock |
| Elixir | Hex | mix.lock |
| PHP | Composer | composer.lock |
requirements.txt as a lockfile with Pip-compiled output and fully pinned dependencies or as a manifest file with more flexible specifiers. If your requirements.txt file doesn’t use pinned dependencies exclusively, use the --allow-local-builds flag when invoking your scan. This ensures that the dependencies using non-exact version specifiers, such as >=, >, ~=, are included in the dependency graph. Otherwise, Semgrep ingests only pinned (==) dependencies.‡Supply Chain does not analyze the transitivity of packages for these language and manifest file or lockfile combinations. All dependencies are listed as Analysis.**
Feature support
The following section discusses the features supported by Supply Chain.Lockfiles and manifest files
For projects with lockfiles, Semgrep parses lockfiles for dependencies, then scans your codebase for reachable findings based on the lockfiles. For a lockfile to be scanned by Semgrep Supply Chain, it must have one of the supported lockfile names. For some languages, a lockfile or manifest file is required to determine . See Transitive dependencies and reachability analysis for more information. Additionally, Semgrep offers beta support for the scanning of projects written in the following languages without lockfiles using Dynamic Dependency Resolution. See the following table for more information.Features for supported languages
The following table lists all Supply Chain features for each language. Languages with reachability support are listed first.| Language | Reachability (see CVE coverage) | Scan without lockfiles (beta) | License detection | Malicious dependency detection |
|---|---|---|---|---|
| C# | ✅ | ✅ CI and CLI only | ✅ | ✅ |
| Go | ✅ | — | ✅ | ✅ |
| Java | ✅ | ✅ | ✅ | — |
| JavaScript or TypeScript | ✅ | — | ✅ | ✅ |
| Kotlin | ✅ | ✅ | ✅ | — |
| Python | ✅ | ✅setup.py in CLI or CI | ✅ For PyPi only | ✅ |
| Ruby | ✅ | — | ✅ | ✅ |
| Scala | ✅ | ✅ SBT in CLI or CI | ✅ | — |
| Swift | ✅ | — | ✅† | — |
| PHP | ✅ | — | ✅ | — |
| Rust | No reachability analysis. However, Semgrep can compare a package’s version against a list of versions with known vulnerabilities. | — | ✅ | ✅ |
| Dart | — | — | — | |
| Elixir | — | — | — |