Software Composition Analysis (SCA)
Know exactly what is inside your software, and which components put you at risk.
Overview
Software Composition Analysis identifies and manages the open-source and third-party components in your software. It inventories direct and transitive dependencies, flags known vulnerabilities and risky or incompatible licenses, and generates a Software Bill of Materials in standard formats like CycloneDX or SPDX. It gives teams clear visibility into the open-source software they rely on, with continuous dependency tracking and early vulnerability identification. SCA also supports license compliance management, helping organisations meet their obligations across the development lifecycle.
Methodology & Standards
CycloneDX and SPDX SBOM formats, NVD/OSV vulnerability matching, OWASP Dependency-Track concepts and OWASP A06 (Vulnerable and Outdated Components). The process covers codebase scanning and SBOM generation, component identification, vulnerability detection, and policy compliance validation.
What's Included
What You Receive
Frequently Asked Questions
A pentest attacks your running application; SCA inventories the third-party code inside it and flags known-vulnerable dependencies and license risk. They are complementary.
Yes. We produce a machine-readable SBOM in CycloneDX or SPDX covering direct and transitive dependencies, which is what enterprise buyers and the EU CRA increasingly require.
SCA helps organizations identify vulnerable open-source components, manage license obligations, improve software quality, and maintain visibility into third-party dependencies throughout the development lifecycle.