Skip to content

Software Composition Analysis (SCA)


Software Composition Analysis (SCA) is a security practice that automates the process of identifying open-source components and third-party dependencies used in a codebase, then checking them for known vulnerabilities, licensing issues, and versioning problems. SCA tools analyze artifacts like package managers, manifest files, or lockfiles (e.g., package.json, pom.xml, requirements.txt) to detect insecure or outdated libraries and help teams respond before issues reach production.


Why SCA Is Important in Modern DevSecOps


SCA plays a critical role in DevSecOps by:

  • Shifting security left — allowing vulnerabilities to be caught early in the development lifecycle
  • Improving visibility into dependency risks across repositories and teams
  • Automating compliance with open-source licenses and organizational security policies
  • Reducing attack surfaces that emerge from transitive or nested dependencies

Ultimately, SCA helps organizations maintain security hygiene while accelerating deployment speeds.


How BoostSecurity Enables SCA Scanning


BoostSecurity integrates SCA scanning into your development workflows to automatically inspect source code repositories for insecure dependencies and vulnerable libraries.


Supported Scanners


BoostSecurity offers an extensive suite of Software Composition Analysis (SCA) scanners to help engineering and security teams detect vulnerabilities in open-source dependencies. These scanners analyze lock files, manifests, and filesystem content to flag known security issues using curated vulnerability databases.

Scanner registry_module name Pull Request Flow Configuration Description
BoostSecurity SCA boostsecurityio/boost-sca - BoostSecurity’s native SCA scanner that leverages several open-source and in-house checks with curated security rules.
Snyk boostsecurityio/snyk-test yes - The Snyk module scans the project package dependencies for vulnerabilities, using the snyk Command Line Interface (CLI) tool with command test (snyk test) for SCA.
OSV Scanner boostsecurityio/osv-scanner OSV_ARGS Uses the Open Source Vulnerabilities (OSV) database to detect known vulnerabilities in project dependencies. Optional OSV_ARGS can be set to configure scan options.
Bundler Audit boostsecurityio/bundler-audit yes GEMFILE_LOCK The bundler audit module scans the Ruby project's dependencies for vulnerabilities using the bundler-audit scanner. The optional environment variable GEMFILE_LOCK can be set to check a custom Gemfile.lock file
NPM Audit boostsecurityio/npm-audit yes NPM_AUDIT_ARGS The npm audit module scans the Nodejs project's dependencies for vulnerabilities, using the npm audit scanner. The optional environment variable NPM_AUDIT_ARGS can be set for npm audit options.
Safety boostsecurityio/safety yes - The Safety module scans the Python project's dependencies for vulnerabilities using the safety scanner.
Nancy boostsecurityio/nancy yes NANCY_ARGS, GOPKG_LOCK, GO_LIST_PATH The Nancy module scans the GoLang project's dependencies for vulnerabilities using the Nancy scanner. The optional environment variables can be set: NANCY_ARGS enables to set the Nancy scanner arguments; GOPKG_LOCK can set the GoLang package lock file with a default value of Gopkg.lock; GO_LIST_PATH the path where the list of modules is located, the default value is .nancy-go-list.json
Trivy (Filesystem) boostsecurityio/trivy-fs TRIVY_FS_ARGS Scans the project filesystem for vulnerable open-source dependencies. TRIVY_FS_ARGS can be set to customize the Trivy scan command.
Dependabot boostsecurityio/dependabot DEPENDABOT_CONFIG_PATH Integrates GitHub Dependabot for version monitoring and automatic pull requests for vulnerable dependencies. The optional DEPENDABOT_CONFIG_PATH allows specifying the path to the dependabot configuration file.

Each scanner comes with unique capabilities, giving organizations flexibility in choosing the right tool for their ecosystem. BoostSecurity supports both in-house and third-party scanners for maximum coverage.


Supported Source Code Management Systems (SCMs)


BoostSecurity’s SCA scanning capabilities are designed to be platform-agnostic, supporting integrations with all major SCM providers, including:

  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps

The scanning logic and configuration approach remains largely consistent across SCMs, ensuring a unified experience regardless of where your code is hosted. Events such as pull requests, merges to default (main) branches, or dependency file changes can all trigger scans, depending on the configuration.


Default Scanning Behavior


Most scanners support being triggered on two key workflows:

  • On Main: Triggers a scan when code is merged or pushed to the default branch.
  • On Pull Request: Triggers a scan for code changes before merge, helping reviewers assess dependency risk.
Scanner On Main On Pull Request
BoostSecurity SCA
Bundler-Audit
Nancy
NPM Audit
OSV Scanner
Safety
Snyk SCA
Trivy FS
Dependabot ☑️ (GitHub-only)

Scanner Behavior and Coverage


Each scanner in BoostSecurity has a unique way of detecting vulnerabilities and interacting with your project structure. The BoostSecurity platform:

  • Analyzes dependency files (e.g., package-lock.json, poetry.lock, etc.) to detect vulnerabilities
  • Normalizes findings across different ecosystems and scanners into a consistent, unified format
  • Integrates with CI/CD workflows to run scans on pull requests, branch pushes, or scheduled intervals
  • Supports multiple scanners, including Boost's SCA scanner, OSV, and other community tools
  • Allows configuration via .boost/config.yml to customize scanning behavior per repository

This approach ensures broad visibility into open-source risk while maintaining flexibility across diverse tech stacks.

Intelligent Deduplication

BoostSecurity intelligently deduplicates results across multiple scanners. If several tools report the same vulnerability (e.g., CVE-2023-1234 in lodash@4.17.21), only one consolidated entry appears in the UI or exported reports.

This ensures a cleaner developer experience with no noisy duplication or conflicting severity ratings.

BoostSecurity’s flexible architecture allows you to combine scanners for broader or deeper coverage across polyglot repos and microservices.


Provisioning and Configuration


Provisioning SCA scanners is done at the Source Code Management level. This means you can choose different scanner configurations for each resource depending on your security posture.