Software Composition Analysis (SCA)¶
Software Composition Analysis (SCA) stands as a pillar in fortifying software applications against vulnerabilities originating from third-party dependencies. BoostSecurity integrates advanced SCA capabilities to empower development and security teams in comprehensively managing and securing the components and libraries utilized within their applications.
BoostSecrity provides the following SCA tools for use in your organizations:
| Scanner | registry_module name | Pull Request Flow | Configuration | Description |
|---|---|---|---|---|
| Snyk | boostsecurityio/snyk-test | yes | - | The Snyk module scans the project package dependencies for vulnerabilities, using the snyk Command Line Interface (CLI) tool with command test for SCA. |
| Bundler Audit | boostsecurityio/bundler-audit | yes | GEMFILE_LOCK | The bundler audit module scans the Ruby project's dependencies for vulnerabilities, using the bundler-audit scanner. The optional environment variable GEMFILE_LOCK can be set to check a custom Gemfile.lock file |
| NPM Audit | boostsecurityio/npm-audit | yes | NPM_AUDIT_ARGS | The npm audit module scans the Nodejs project's dependencies for vulnerabilities, using the npm audit scanner. The optional environment variable NPM_AUDIT_ARGS can be set for npm audit options. |
| Safety | boostsecurityio/safety | yes | - | The Safety module scans the python project's dependencies for vulnerabilities, using the safety scanner. |
| Nancy | boostsecurityio/nancy | yes | NANCY_ARGS, GOPKG_LOCK, GO_LIST_PATH | The Nancy module scans the GoLang project's dependencies for vulnerabilities, using the Nancy scanner. The optional environment variables can be set: NANCY_ARGS enables to set the Nancy scanner arguments; GOPKG_LOCK can set the GoLang package lock file with a default value of Gopkg.lock; GO_LIST_PATH the path where the list of modules is located, the default value is .nancy-go-list.json |