Semgrep Supply Chain is a software composition analysis tool that identifies and prioritizes dependency vulnerabilities in application code. The product performs reachability analysis to determine whether vulnerable functions in dependencies are actually called by the application code, filtering out unreachable vulnerabilities to reduce false positives. The tool detects malicious dependencies using a database of over 80,000 known malicious packages, including backdoors, cryptominers, and trojans. It provides same-day incident response support for emerging open source malware attacks. Semgrep Supply Chain offers license compliance management, allowing organizations to gain visibility into dependency licenses and configure policies to block pull requests that use non-compliant licenses. The product includes dependency search functionality to locate any dependency at any version across the entire codebase. The tool integrates with source code management platforms and CI/CD providers. It supports multiple programming languages including C#, Go, Java, JavaScript, Python, PHP, Ruby, and TypeScript. The product shows the exact lines of code where vulnerable dependency functions are used, providing developers with actionable remediation guidance. Semgrep Supply Chain includes configurable policies with API and JIRA integration to automatically block malicious packages from merging into projects.