How SCA Works
SCA performs deterministic dependency scanning:- Dependency Discovery: Analyzes package manifests to build complete dependency tree
- Vulnerability Matching: Queries vulnerability databases (NVD, GitHub Advisory, OSV) for known CVEs
- Version Analysis: Identifies vulnerable versions and available fixes
- License Detection: Analyzes license information for compliance
Coverage
SCA scans dependencies across all major programming ecosystems.Package Managers Supported
npm
JavaScript/TypeScript
pip
Python packages
Maven
Java dependencies
NuGet
.NET packages
Go Modules
Go dependencies
Bundler
Ruby gems
Transitive Dependencies
SCA analyzes your entire dependency tree, including transitive dependencies. View complete SCA support matrix →What SCA Finds
- CVE vulnerabilities: Known security issues in dependencies with CVE identifiers
- Outdated packages: Dependencies with available security updates
- Vulnerable transitive dependencies: Issues in sub-dependencies
- License violations: Incompatible or risky licenses
Vulnerability Intelligence
SCA queries multiple vulnerability databases:- NVD (National Vulnerability Database)
- GitHub Security Advisories
- OSV (Open Source Vulnerabilities)
- Vendor security bulletins
- Language-specific advisory databases
Best Practices
- Scan dependencies on every build
- Prioritize high EPSS vulnerabilities
- Update direct dependencies first
- Use lock files for reproducible builds
- Monitor EPSS score changes