CodeClarityLab / Glossary
Ctrl K
← CodeClarityLab Home
Browse by Category
+ added · updated 7d
⚖ Terms of Use
← Back to glossary

Software Composition Analysis (SCA)

security Intermediate

Also Known As

SCA dependency scanning OSS vulnerability scanning

TL;DR

The practice and tooling for identifying all open-source and third-party components in a codebase, detecting known vulnerabilities (CVEs) in them, and flagging licence risks — distinct from static analysis of your own code.

Explanation

SCA tools parse manifests (composer.lock, package-lock.json, go.sum, requirements.txt, Cargo.lock), resolve the full transitive dependency tree, and cross-reference every package + version against vulnerability databases such as the National Vulnerability Database, GitHub Advisory Database, OSV.dev, and Snyk's own feed. Output typically includes: direct vs transitive hit, severity (CVSS), fix-available version, and licence compatibility with your project's licence. Popular tools include Dependabot, Snyk, GitHub's built-in advisories, OWASP Dependency-Check, Grype, and Trivy. SCA differs from SAST (which analyses your own source code for bugs) and DAST (which tests running applications) — it is concerned only with the components you pulled in. Modern supply-chain-attack awareness (SolarWinds, xz-utils, Log4Shell) made SCA a mandatory part of any security programme.

Common Misconception

SCA only catches vulnerabilities that are already disclosed and in a database — it cannot find zero-days, logic bugs, or supply-chain attacks where the malicious code is in a new release that has not yet been flagged. Pin versions and review changelogs; do not rely on SCA alone.

Why It Matters

Most production code is 70-90% third-party by line count. A vulnerability in a transitive dependency you have never heard of can become your vulnerability overnight. SCA surfaces the problem before an attacker does, and compliance regimes (SOC 2, ISO 27001, NIST) increasingly require it.

Common Mistakes

  • Scanning only direct dependencies — transitive dependencies are often the ones with critical CVEs; make sure your tool resolves the full tree.
  • Ignoring 'low' severity findings forever — low + widespread + in a signing library can be more dangerous than a 'critical' in an obscure dev-only package.
  • Not scanning lock files — scanning a range spec like ^1.2.0 finds hypothetical vulnerabilities; scan the lock file for what is actually installed.
  • Treating SCA as a gate without triage — flooding pull requests with findings burns out the team and everything gets marked 'won't fix'; tune thresholds and require context in the ticket.
  • Forgetting the licence axis — SCA also flags GPL or AGPL pulled into a commercial proprietary product; that risk can be bigger than the CVE list.

Avoid When

  • A trivial internal tool with zero external dependencies and no user input — the signal-to-noise is low.

When To Use

  • Any project shipping to production — run SCA in CI on every pull request.
  • Compliance audits — SOC 2 / ISO 27001 / PCI-DSS increasingly expect continuous component scanning.
  • Before accepting a new major-version upgrade — run SCA against the new lock file first.
Added 18 Apr 2026
Views 19

Curated in Warsaw under one editorial standard. 1,444 terms, single voice.  About this reference →

Rate this term
No ratings yet
🤖 AI Guestbook educational data only
| |
Last 30 days
0 pings W 0 pings T 0 pings F 0 pings S 0 pings S 0 pings M 0 pings T 0 pings W 0 pings T 0 pings F 1 ping S 1 ping S 0 pings M 0 pings T 1 ping W 0 pings T 1 ping F 0 pings S 0 pings S 0 pings M 1 ping T 0 pings W 1 ping T 1 ping F 1 ping S 0 pings S 0 pings M 0 pings T 0 pings W 0 pings T
Agents 0
No pings yet today
No pings yesterday
Perplexity 3 Google 2 SEMrush 2 Ahrefs 1
Also referenced
Responsible Vulnerability Disclosure 66 Supply Chain Attack 25 Dependency Confusion Attack 23 Dependency Audit & CVE Scanning 18 Dependency & Supply Chain Security 10
How they use it
crawler 8
Related categories
security 4k general 1.4k
DEV INTEL Tools & Severity
🟠 High ⚙ Fix effort: Medium
⚡ Quick Fix
Run a free SCA pass locally: `npm audit --production` or `composer audit` or `pip-audit` — fix criticals before merging.
🔗 Prerequisites
✓ schema.org compliant