Original Post: It’s time to ignore 98% of dependency alerts. Introducing Semgrep Supply Chain.
The content discusses the common problem of excessive false positive alerts from Software Composition Analysis (SCA) tools, which can make security efforts inefficient and burdensome. It introduces Semgrep Supply Chain, a new dependency scanner that prioritizes actionable vulnerabilities by using reachability analysis. This solution combines Semgrep’s code analysis capabilities with dependency scanning to reduce noise and focus on security issues that truly affect the code, improving the effectiveness of security teams and helping them manage vulnerabilities more efficiently. Semgrep Supply Chain supports several programming languages and helps security teams prioritize critical vulnerabilities over benign ones.
Go here to read the Original Post