Software Composition Analysis
Provides complete visibility into software dependencies, supply chain risks, and licensing compliance across the application portfolio. It catalogs direct and transitive dependencies, correlates them with CVE databases, and supports SBOM generation in SPDX and CycloneDX formats.
Required Blueprints: GitHub, Azure DevOps, Azure, AWS, Bitbucket, Checkmarx
Sightlines
| Sightline | Description |
|---|---|
| Package Impact Analysis | Offers insights into package vulnerabilities and their impact across the application portfolio. |
| Package Dependency Overview | Highlights dependencies and their associated vulnerabilities. |
| Vulnerability Impact Analysis | Provides a consolidated view of vulnerabilities across all software components. |
| CheckMarx Vulnerability Analysis | Provides insights into static application security testing (SAST) results from CheckMarx scans, enabling teams to tra... |
| SAST Vulnerabilities Analysis | Provides insights into Static Application Security Testing (SAST) results across repositories, enabling teams to iden... |
Explorer Node Types
Use these node types in Explorer or KAI to query resources surfaced by this analyzer:
sca.sbom.Package, sca.sbom.Vulnerability, sca.sbom.Document, sca.sbom.PackageHasLicense
Related Analyzers
- Repository — Package dependencies from code repositories
- Code — Vulnerability analysis of packages
- Artifact — Container image vulnerabilities from packages
- Secrets and PII — Secrets in containers and packages