View advisories and search for related findings
At least one project (a repository or subfolder in a monorepo) that scans for dependencies through Semgrep Supply Chain. See Scan third-party dependencies.
The Advisories page lets you view the vulnerability announcements relevant to your Semgrep organization. These are typically, but not always, associated with a Common Vulnerabilities and Exposures (CVE) number. This page also helps you identify all findings related to a given advisory.
View advisories
To see the advisories relevant to your Semgrep organization:
- Sign in to Semgrep AppSec Platform.
- Go to Rules & Policies > Advisories.
You can use the filters available to narrow down the results displayed:
| Filter | Description |
|---|---|
| Advisory | The title of the advisory or its associated CVE. |
| Language | The language for which the advisory is applicable. |
| Severity | The severity of the findings relevant to the advisory. |
| Analysis type | The reachability type of the findings relevant to the advisory. |
Advisory details
For each advisory listed, you can click the entry to view additional details, including:
- A description
- Reference links
- The rule Semgrep uses to match your code
- Affected projects
Identify findings associated with an advisory
You can use the Advisories page to see if any of your projects are affected by a specific incident:
- Sign in to Semgrep AppSec Platform.
- Go to Rules & Policies > Advisories.
- Using the Advisory filter, provide the relevant CVE or keywords.
- Click the advisory in the results list to open up the Advisory Details dialog.
- Go to Affected projects.
Semgrep displays the number of relevant findings on each of the project's branches for each of the advisories' affected projects. Clicking the displayed number takes you to the Findings page, where you can see in-depth information about each issue.
Not finding what you need in this doc? Ask questions in our Community Slack group, or see Support for other ways to get help.