Core Concepts
What is Software Composition Analysis (SCA)?
Software Composition Analysis (SCA) is the automated process of assessing and managing third-party components in a software application. It aims to improve the security and compliance of the software supply chain by addressing potential vulnerabilities in third-party dependencies and monitoring their associated licenses.
Why should you implement SCA?
SCA is an essential process to guarantee the security of your software development cycle. It will allow you:
- Identifying dependencies: Identify all direct and transitive dependencies used in your software and track all their related information, such as their license and version.
- Continuously identifying and mitigating dependency vulnerabilities: Identify and fix vulnerabilities anytime new CVEs are disclosed, or new dependencies are added, from direct to transitive nested dependencies.
- Applying shifting-left strategy: Prevent new vulnerabilities as early as possible in the development process, reducing the risk and the cost associated with remediation.
- Ensuring legal compliance: Manage your open-source licenses to prevent legal license issues.
- Meeting regulatory requirements: Comply with industry regulations and standards by providing Software Bills of Materials (SBOMs).
Views overview
GitGuardian SCA gives you a set of views to help you have a clear inventory of your sources, dependencies, and vulnerabilities:
- The
Incidents
view gives a detailed and comprehensive list of the vulnerabilities introduced by the third-party components in your sources. - The
Sources
view lists all the monitored sources from your integrated Version Control System. - The
Dependencies
view lists all third-party dependencies discovered from your sources, along with their version and associated licenses. - The
Analytics
view helps you track your performance in remediating triggered incidents.
Each feature you will find from these views is detailed in the following sections.