Safeguard
AppSec

Define SCA: What Software Composition Analysis Actually Means

To define SCA: it's the practice of identifying every open-source component in your software and checking each for known vulnerabilities, license risk, and staleness.

Safeguard Research Team
Research
5 min read

To define SCA plainly: software composition analysis is the practice of automatically identifying all the open-source and third-party components in an application and evaluating each one for known security vulnerabilities, license obligations, and maintenance risk. In short, SCA answers the question "what is actually in my software, and is any of it dangerous?" — a question that has become genuinely hard to answer by hand.

The reason SCA exists is that modern software is assembled, not written from scratch. A typical application is mostly other people's code pulled in as dependencies. SCA is the discipline of keeping track of that borrowed code and its risks.

What SCA inspects

SCA tools examine three distinct things about your components:

Known vulnerabilities. Each dependency is matched against vulnerability databases — chiefly the National Vulnerability Database (NVD) and ecosystem-specific advisory sources like the GitHub Advisory Database. If a version you use has a published CVE, SCA flags it, ideally with the fixed version to upgrade to.

License compliance. Every open-source component carries a license, and some (strong copyleft licenses like GPL) impose obligations that can conflict with how you distribute your product. SCA inventories licenses so legal and engineering can catch a problematic one before it ships in a product.

Component health. Beyond vulnerabilities, SCA can surface components that are abandoned, wildly out of date, or have no recent maintenance — signals of future risk even without a current CVE.

The transitive dependency problem

The part that makes SCA non-optional is transitivity. You directly choose a handful of dependencies. Each of those pulls in its own dependencies, which pull in more, and so on. The result is a dependency tree that can be hundreds of packages deep, most of which you never explicitly chose and could not name.

A vulnerability three levels down in that tree is still running in your application. You did not install it, you cannot see it in your package.json or pom.xml, but it is there. Manual review cannot find these; that is precisely the gap SCA fills. It walks the full resolved tree, not just your top-level declarations.

your-app
└── some-framework          (you chose this)
    └── http-client         (framework chose this)
        └── parser-lib 1.2   (http-client chose this — and it has a CVE)

You never mentioned parser-lib, but its CVE is your problem. SCA is what tells you it is there.

How SCA works, roughly

Most SCA tools follow a similar flow. They start by identifying components — reading manifest and lockfiles (package-lock.json, yarn.lock, pom.xml, requirements.txt, go.sum) or, more thoroughly, scanning built artifacts and container images to catch what actually shipped. From that they build a complete inventory, often expressed as a software bill of materials (SBOM) in a standard format like CycloneDX or SPDX.

Each component in the inventory is then matched against vulnerability and license data. Finally, the tool reports findings, ideally prioritized by severity, whether a fix exists, and whether the vulnerable code is actually reachable in your application. That last factor — reachability — is what separates a useful modern SCA result from an overwhelming list of every CVE in the tree.

SCA versus SAST versus DAST

SCA is easy to confuse with the other testing acronyms, so to be precise:

  • SCA analyzes the open-source components you did not write.
  • SAST analyzes the source code you did write, statically.
  • DAST tests a running application from the outside.

They cover different risks and are complementary, not substitutes. SAST will not tell you a dependency has a CVE; SCA will not find a logic flaw in your own code. A complete program runs all three.

Why SCA became a board-level concern

Two forces pushed SCA from a nice-to-have to a requirement. First, high-profile incidents in widely used libraries showed that a single vulnerable dependency can expose an enormous number of downstream applications at once. Second, regulators and customers increasingly ask for an SBOM — a verifiable list of what is in the software they run. SCA is how you produce and maintain that inventory continuously rather than as a one-off document.

An SCA tool such as Safeguard can flag a transitive CVE like the parser-lib example above and point to the fix, but the definition holds regardless of tooling: SCA is knowing what is in your software and whether it is safe. Our software composition analysis page details how the scanning and SBOM generation work, and the SCA in DevSecOps guide covers automating it in a pipeline.

FAQ

What does SCA stand for?

SCA stands for software composition analysis. It is the practice of identifying the open-source and third-party components in an application and checking each for known vulnerabilities, license issues, and maintenance risk.

What is the difference between SCA and SAST?

SCA analyzes the open-source dependencies you pull into your application, while SAST (static application security testing) analyzes the source code you wrote yourself. They find different classes of problems and are used together.

Why can't I just review my dependencies manually?

Because of transitive dependencies. You directly choose a few packages, but each pulls in its own, producing a tree that can be hundreds deep. A vulnerability several levels down still runs in your app but is invisible to manual review — SCA walks the entire resolved tree.

Does SCA produce an SBOM?

Most SCA tools can generate a software bill of materials in standard formats like CycloneDX or SPDX. The SBOM is the component inventory SCA builds, and it becomes valuable for incident response and for meeting customer or regulatory requirements.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.