SCA
SCA stands for Source Composition Analysis The tool analyzes dependencies, or third-party libraries used by an application and evaluates their security.
The following languages and package managers are supported:
| Language | Package Manager | Total Advisories |
|---|---|---|
| Javascript/NodeJS | NPM, Yarn, pnPM | 15480 |
| Python | pip, poetry | 12676 |
| Java | Maven, Gradle, SBT | 10432 |
| PHP | Composer | 6167 |
| Go | Go | 3196 |
| CSharp | NuGet | 2988 |
| Ruby | Rubygems | 1685 |
| Rust | Cargo | 691 |
| C, C++ | Conan | 549 |
| Swift | Swift | 30 |
| Erlang | Hex | 24 |
| Docker | Docker Images | 11 |
| Dart | Pub | 7 |
In addition to these, the tool also searches vulnerabilities in GitHub Actions dependencies.
In the SCA analysis, we strive for the application to comply with the following rules:
Use components with minimal dependencies
Verify all third-party components for security risks