SCA Scanning

1min

SCA (Software Composition Analysis) scanning involves analyzing the components and dependencies of a software application to identify potential security vulnerabilities, license, and compliance issues.

  • SCA Analysis: SOOS inspects your manifest files and files to identify the open source software used by your applications.
  • Dependency Tree Creation: After identifying directly referenced open source software, SOOS’s patented dependency resolution builds the full dependency tree and catalogs introduction paths.
  • Vulnerability Matching: Using the full set of packages and dependencies, SOOS matches packages to vulnerabilities. SOOS will identify available fixes via new vulnerability free versions and provides automatic pull requests for fixes through GitHub.
  • License Matching: Using the full set of packages and dependencies, SOOS matches packages to licenses.
  • Governance Policies: SOOS’s suite of governance policies may be run against the packages and licenses which were identified.
  • Issue Creation: Issues are created for any vulnerabilities, governance policies, unknown packages, and more.
  • Report Generation: Reports for each SCA scan are created and accessible via the SOOS Developer, Legal, Security, and Compliance dashboards.



Updated 25 Feb 2025
Doc contributor
Did this page help you?
PREVIOUS
Support at SOOS
NEXT
Getting Started with SOOS SCA
Docs powered by Archbee