SCA Support Matrix

Documentation Index

Fetch the complete documentation index at: https://docs.codethreat.com/llms.txt

Use this file to discover all available pages before exploring further.

CodeThreat uses Trivy and Syft for Software Composition Analysis, scanning dependencies across all major programming ecosystems for known vulnerabilities.

​

Package Ecosystems Supported

​

JavaScript/TypeScript

Scans for:

• Known CVEs in npm packages
• Vulnerable transitive dependencies
• Outdated packages with security updates
• License compliance (MIT, Apache, GPL, etc.)

​

Python

Scans for:

• PyPI package vulnerabilities
• Dependency confusion attacks
• Outdated packages (Django, Flask, etc.)
• License issues

​

Java/Kotlin/Scala

Scans for:

• JAR file vulnerabilities
• Critical issues (Log4Shell, Spring4Shell)
• Transitive dependency CVEs
• Maven Central vulnerabilities

​

.NET/C#

Scans for:

• NuGet package vulnerabilities
• .NET Framework/Core vulnerabilities
• Dependency version conflicts

​

Go

Scans for:

• Go module CVEs
• Standard library vulnerabilities
• Indirect dependency issues

​

Ruby

Scans for:

• RubyGems vulnerabilities
• Rails framework CVEs
• Gem dependency issues

​

PHP

Scans for:

• Packagist vulnerabilities
• WordPress/Drupal plugin CVEs
• Laravel/Symfony framework issues

​

Rust

Scans for:

• Crates.io vulnerabilities
• RustSec advisories
• Dependency audit findings

​

iOS/macOS

Scans for:

• Pod vulnerabilities
• Swift package CVEs
• Framework security issues

​

Additional Ecosystems

​

Operating System Packages

Trivy scans OS-level packages in container images and VMs:

​

Linux Distributions

​

Container Base Image Scanning

Detects vulnerabilities in:

• FROM alpine:3.18
• FROM ubuntu:22.04
• FROM node:18
• FROM python:3.11
• FROM nginx:latest
• Any Docker base image

Also scans:

• Distroless images
• Scratch-based images (if packages are installed)
• Multi-stage build layers

​

SBOM (Software Bill of Materials)

Generated by Syft, analyzed by Trivy: SBOM Formats Supported:

• CycloneDX (JSON, XML) - Industry standard
• SPDX (JSON, YAML) - Linux Foundation standard
• Syft JSON - Detailed format
• GitHub Dependency - For GitHub integration

What’s Included in SBOM:

• All direct dependencies
• All transitive dependencies
• Package versions
• Licenses
• Package URLs (PURL)
• File locations

Use Cases:

• Supply chain security compliance
• Vendor questionnaires
• Regulatory requirements (SBOM mandates)
• Vulnerability tracking over time

​

Vulnerability Databases Queried

Trivy queries multiple sources for comprehensive CVE coverage: Language-Specific:

• npm (Node Security Working Group)
• PyPI (Python Advisory Database)
• RubyGems (Ruby Advisory Database)
• Maven Central (Sonatype OSS Index)
• Go Vulnerability Database
• Rust Security Advisory Database
• PHP Security Advisories

General:

• National Vulnerability Database (NVD)
• GitHub Security Advisories (GHSA)
• GitLab Advisory Database
• OSV (Open Source Vulnerabilities)

OS-Specific:

• Debian Security Tracker
• Ubuntu Security Notices
• Red Hat Security Data
• Alpine SecDB
• Amazon Linux Security Center

Update Frequency: Daily updates ensure you catch CVEs within 24 hours of disclosure

​

False Positive Handling

Trivy is highly accurate for SCA because it matches exact package versions against known CVEs. False positives are rare. When they occur:

• CVE doesn’t affect the specific code path you use
• Vulnerability is in optional feature you don’t enable
• Mitigation exists at infrastructure level

CodeThreat AI can analyze SCA findings for:

• Actual exploitability in your code
• Whether vulnerable code path is reachable
• Mitigation controls present

​

What’s Next?