| slug | title | hide_title | description | tags | |
|---|---|---|---|---|---|
malicious-dependencies |
Detect and remove malicious dependencies |
true |
Learn how Semgrep detects malicious dependencies and enable malicious dependency detection in your Supply Chain scans. |
|
:::info This feature is in private beta. To join, reach out to support. :::
Malicious dependencies are dangerous packages, or dangerous versions of packages, that are designed to compromise systems. These threats include packages that have always been malicious, such as typo-squatting attacks, or packages that become malicious after an attacker compromises a maintainer or injects harmful code. They are also known as malware.
Semgrep is able to detect malicious dependencies in your projects and in pull requests (PRs) or merge requests (MRs).
This feature is enabled after opting in to the beta program.
The following table lists the languages for which Supply Chain can detect malicious dependencies.
| Language | Package manager or ecosystem |
|---|---|
| C# | NuGet |
| Dart | Pub |
| Elixir | Hex |
| Go | go.mod |
| Java | Maven |
| Python | PyPi |
| Ruby | RubyGems |
| Scala | Maven |
| Swift | SwiftPM |
| PHP | -- |
| Rust | -- |
Malicious dependency findings are treated as critical severity findings.
If you have set up your Supply Chain policies to block with this condition, malicious dependency findings block a PR or MR in the same way as any other Supply Chain finding.
Malicious dependencies appear in Supply Chain > Vulnerabilities, alongside other Supply Chain findings. They are denoted by the Malicious badge.
Figure. A malicious dependency finding.
Use the Malicious dependencies toggle to filter for malicious dependencies detected in your projects. Ensure that you don't have other filters enabled as this may inadvertently hide findings.
- If there is no fix available, remove the malicious dependency from your codebase and re-run a Supply Chain scan to fix it.
- If there is a safe version to update to, you can fix the finding by updating the dependency and re-running a Supply Chain scan.
- You can apply any Semgrep triage state, such as Ignored, though this is not recommended.
:::caution If you have configured your policies to display malicious dependency findings to your developers, and you have enabled Settings > Triage via code review comments, your developers are able to triage these findings as Ignored. :::
You can view all the malicious dependencies that Semgrep can detect by navigating to Supply Chain > Advisories and clicking on the Malicious package filter.
Reach out to support to disable this feature.