|
| 1 | +--- |
| 2 | +slug: malicious-dependencies |
| 3 | +title: Detect and remove malicious dependencies |
| 4 | +hide_title: true |
| 5 | +description: Learn how Semgrep detects malicious dependencies and enable malicious dependency detection in your Supply Chain scans. |
| 6 | +tags: |
| 7 | + - Semgrep Supply Chain |
| 8 | +--- |
| 9 | + |
| 10 | +# Detect and remove malicious dependencies |
| 11 | + |
| 12 | +:::info |
| 13 | +This feature is in private beta. To join, reach out to [support](/support). |
| 14 | +::: |
| 15 | + |
| 16 | +**Malicious dependencies** are dangerous packages, or dangerous versions of packages, that are designed to compromise systems. These threats include packages that have always been malicious, such as typo-squatting attacks, or packages that become malicious after an attacker compromises a maintainer or injects harmful code. They are also known as malware. |
| 17 | + |
| 18 | +Semgrep is able to detect malicious dependencies in your projects and in pull requests (PRs) or merge requests (MRs). |
| 19 | + |
| 20 | +This feature is enabled after opting in to the beta program. |
| 21 | + |
| 22 | +## Supported package managers and sources of information |
| 23 | + |
| 24 | +Semgrep ingests data from <i class="fas fa-external-link fa-xs"></i>[Open Source Vulnerabilities](https://osv.dev/)). |
| 25 | + |
| 26 | +The following table lists the languages for which Supply Chain can detect malicious dependencies. |
| 27 | + |
| 28 | +| Language | Package manager or ecosystem | |
| 29 | +| :---- | :---- | |
| 30 | +| C\# | NuGet | |
| 31 | +| Dart | Pub | |
| 32 | +| Elixir | Hex | |
| 33 | +| Go | `go.mod` | |
| 34 | +| Java | Maven | |
| 35 | +| Python | PyPi | |
| 36 | +| Ruby | RubyGems | |
| 37 | +| Scala | Maven | |
| 38 | +| Swift | SwiftPM | |
| 39 | +| PHP | \-- | |
| 40 | +| Rust | \-- | |
| 41 | + |
| 42 | +## Malicious dependency findings |
| 43 | + |
| 44 | +Malicious dependency findings are treated as **critical severity** findings. |
| 45 | + |
| 46 | +If you have set up your Supply Chain policies to block with this condition, malicious dependency findings block a PR or MR in the same way as any other Supply Chain finding. |
| 47 | + |
| 48 | +<!-- No way to do this currently |
| 49 | +## Enable or disable malicious dependency detection |
| 50 | +
|
| 51 | +1. Click Settings \> … |
| 52 | +--> |
| 53 | + |
| 54 | +## View malicious dependencies |
| 55 | + |
| 56 | +Malicious dependencies appear in [**Supply Chain > Vulnerabilities**](https://semgrep.dev/orgs/-/supply-chain/vulnerabilities?primary=true&tab=open&last_opened=All+time), alongside other Supply Chain findings. They are denoted by the **Malicious** badge. |
| 57 | + |
| 58 | + |
| 59 | +_**Figure**. A malicious dependency finding._ |
| 60 | + |
| 61 | +Use the **Malicious dependencies <i class="fa-solid fa-toggle-large-on"></i> toggle** to filter for malicious dependencies detected in your projects. Ensure that you don't have other filters enabled as this may inadvertently hide findings. |
| 62 | + |
| 63 | +## Triage and remediation for malicious dependencies |
| 64 | + |
| 65 | +- If there is no fix available, **remove** the malicious dependency from your codebase and re-run a Supply Chain scan to fix it. |
| 66 | +- If there is a safe version to update to, you can fix the finding by updating the dependency and re-running a Supply Chain scan. |
| 67 | +- You can apply [any Semgrep triage state](/semgrep-supply-chain/triage-and-remediation#ignore-findings), such as **Ignored**, though this is not recommended. |
| 68 | + |
| 69 | +:::caution |
| 70 | +If you have configured your policies to display malicious dependency findings to your developers, and you have enabled **Settings > Triage via code review comments**, your developers are able to triage these findings as **Ignored**. |
| 71 | +::: |
| 72 | + |
| 73 | +## Advisories for malicious dependencies |
| 74 | + |
| 75 | +You can view all the malicious dependencies that Semgrep can detect by navigating to [**Supply Chain > Advisories**](https://semgrep.dev/orgs/-/supply-chain/advisories) and clicking on the **<i class="fa-solid fa-square-check"></i> Malicious package** filter. |
| 76 | + |
| 77 | +## Disable malicious dependency detection |
| 78 | + |
| 79 | +Reach out to [support](/support) to disable this feature. |
0 commit comments