ConceptsDevSecOpsSoftware Composition Analysis (SCA)

Software Composition Analysis (SCA)

ℹ️

DevGuard performs continous sca to identify vulnerabilities in your project’s dependencies after your first scan (based on SBOM) - Mitigation Guide

What is Software Composition Analysis?

Software Composition Analysis (SCA) identifies and assesses open-source and third-party dependencies in your software. By analyzing dependency manifests and runtime libraries, SCA detects known vulnerabilities. This process is crucial for managing risks associated with using open-source software.

How DevGuard SCA Works

  1. SBOM Generation: DevGuard uses Trivy to scan the application’s dependencies and generate a Software Bill of Materials (SBOM). The SBOM contains all detected components and their metadata.
  2. Vulnerability Matching: The SBOM is cross-referenced with:
    • Public vulnerability databases like CVE.
    • DevGuard’s extended database for enhanced coverage.
  3. Risk Reporting: Tickets are automatically created for detected vulnerabilities if integrations (e.g., GitLab Issues, GitHub Issues) are enabled. Otherwise, the risks are visible in:
    • DevGuard UI: A dashboard showing the current risk posture.
    • Command Output: Run devguard-scanner sca to view detected vulnerabilities.

Why SCA Matters

  • Security: Protect against exploits by addressing known vulnerabilities.
  • Compliance: Ensure alignment with compliance and security framework requirements.
  • Reliability: Minimize runtime failures due to outdated or insecure dependencies.

By incorporating SCA into your development lifecycle, you can proactively manage risks and contribute to a secure software supply chain.