Provisioning SCA Scanning¶

Provisioning Software Composition Analysis (SCA) scanning in BoostSecurity is straightforward and consistent across supported Source Code Management (SCM) systems such as GitHub, GitLab, Bitbucket, and Azure DevOps. Whether managing a single repository or a large-scale monorepo, you can configure SCA scanners using a centralized approach that ensures security coverage is automated, reproducible, and scalable.

Enable Scanning¶

SCA scanning can be enabled:

Through the BoostSecurity UI.

By default, BoostSecurity provides a curated selection of scanners that can be toggled on or off per repository. These scanners can be triggered on different Git events, such as pushes to the main branch or during pull request workflows.

Via BoostSecurity UI¶

To provision SCA scanners for an SCM via the Boost UI:

Navigate to the Scanner Coverage page.
Select one or more repos to provision.
Click the Action button at the top-right of the page and select Provisioning.
On the Provisioning action screen, there are two options:
1. Easy Provisioning: By clicking on the SCA checkbox on the easy provisioning tab, Boost automatically provisions the best SCA scanner suitable for the repository or resource. It does this by scanning for environment variables, arguments, or vlunerabilites that might possibly exist in the repos.
2. Advanced Provisioning: By clicking on the Advanced tab, a user can manually select any of the available SCA scanners to provision against selected repos.
Click the Complete button to save changes.
The SCA scanners are now provisioned and awaiting first scan.

Regular Audits and Updates¶

Dependency and scanner ecosystems evolve. Periodically review and update:

Enabled scanners
Severity thresholds
Notification recipients
Custom flags or scan parameters

Doing so ensures your security posture remains current with minimal manual oversight.