Glossary

Software Composition Analysis (SCA)

SCA inventories the third-party and open-source dependencies in a project and flags known vulnerabilities, license risks, and unmaintained packages — the supply-chain layer that your own code never touches directly.

Modern applications are mostly other people's code. Software Composition Analysis reads your manifests and lockfiles — package.json, requirements.txt, go.mod, Cargo.toml, pom.xml — resolves the full transitive dependency tree, and checks each package against vulnerability databases (CVE / GHSA) and license metadata.

SCA answers questions your own source can't: is a transitively-pulled library subject to a published CVE, is a dependency pinned to a wildcard that could pull a malicious update, is a package abandoned, does a copyleft license create an obligation your legal team needs to know about. The 2021 Log4Shell incident is the canonical example — the vulnerable code was a dependency three levels deep, invisible to any tool that only read first-party code.

Because the dependency graph changes whenever you update a lockfile, SCA belongs in CI and in a scheduled re-scan: a package that was clean at merge time can have a CVE disclosed against it next week.

How GateTest handles it

GateTest's dependencies module is polyglot SCA — npm, pip, Pipenv, Poetry, go.mod, Cargo, Bundler, Composer, Maven, and Gradle. It flags wildcard and `latest` pins, missing lockfiles, deprecated packages, and git-without-rev specifiers, and the CVE-feed module maps findings to version-bump fixes the auto-fix PR can apply.

Related modules: dependencies, cveFeed, secretRotation

Frequently asked questions

What is the difference between SCA and SAST?

SAST analyses the code your team writes; SCA analyses the third-party dependencies your team pulls in. Most real-world breaches involve one or the other, so a complete program runs both.

How often should SCA run?

On every change to a lockfile and on a schedule. A dependency that is clean today can have a CVE disclosed against it tomorrow, so a periodic re-scan catches vulnerabilities that did not exist at merge time.

See SCA on your own repo

Free preview of findings. Pay per scan — no subscription. AI auto-fix PR on the Scan + Fix tier.

Related terms