Software Composition Analysis (SCA)¶
Software Composition Analysis (SCA) is a security practice that automates the process of identifying open-source components and third-party dependencies used in a codebase, then checking them for known vulnerabilities, licensing issues, and versioning problems. SCA tools analyze artifacts like package managers, manifest files, or lockfiles (e.g., package.json, pom.xml, requirements.txt) to detect insecure or outdated libraries and help teams respond before issues reach production.
Why SCA Is Important in Modern DevSecOps¶
SCA plays a critical role in DevSecOps by:
- Shifting security left — allowing vulnerabilities to be caught early in the development lifecycle
- Improving visibility into dependency risks across repositories and teams
- Automating compliance with open-source licenses and organizational security policies
- Reducing attack surfaces that emerge from transitive or nested dependencies
Ultimately, SCA helps organizations maintain security hygiene while accelerating deployment speeds.
How BoostSecurity Enables SCA Scanning¶
BoostSecurity integrates SCA scanning into your development workflows to automatically inspect source code repositories for insecure dependencies and vulnerable libraries.
Supported Scanners¶
BoostSecurity offers an extensive suite of Software Composition Analysis (SCA) scanners to help engineering and security teams detect vulnerabilities in open-source dependencies. These scanners analyze lock files, manifests, and filesystem content to flag known security issues using curated vulnerability databases.
| Scanner | registry_module name | Pull Request Flow | Configuration | Description |
|---|---|---|---|---|
| BoostSecurity SCA | boostsecurityio/boost-sca | ✅ | - | BoostSecurity’s native SCA scanner that leverages several open-source and in-house checks with curated security rules. |
| Snyk | boostsecurityio/snyk-test | yes | - | The Snyk module scans the project package dependencies for vulnerabilities, using the snyk Command Line Interface (CLI) tool with command test (snyk test) for SCA. |
| OSV Scanner | boostsecurityio/osv-scanner | ✅ | OSV_ARGS | Uses the Open Source Vulnerabilities (OSV) database to detect known vulnerabilities in project dependencies. Optional OSV_ARGS can be set to configure scan options. |
| Bundler Audit | boostsecurityio/bundler-audit | yes | GEMFILE_LOCK | The bundler audit module scans the Ruby project's dependencies for vulnerabilities using the bundler-audit scanner. The optional environment variable GEMFILE_LOCK can be set to check a custom Gemfile.lock file |
| NPM Audit | boostsecurityio/npm-audit | yes | NPM_AUDIT_ARGS | The npm audit module scans the Nodejs project's dependencies for vulnerabilities, using the npm audit scanner. The optional environment variable NPM_AUDIT_ARGS can be set for npm audit options. |
| Safety | boostsecurityio/safety | yes | - | The Safety module scans the Python project's dependencies for vulnerabilities using the safety scanner. |
| Nancy | boostsecurityio/nancy | yes | NANCY_ARGS, GOPKG_LOCK, GO_LIST_PATH | The Nancy module scans the GoLang project's dependencies for vulnerabilities using the Nancy scanner. The optional environment variables can be set: NANCY_ARGS enables to set the Nancy scanner arguments; GOPKG_LOCK can set the GoLang package lock file with a default value of Gopkg.lock; GO_LIST_PATH the path where the list of modules is located, the default value is .nancy-go-list.json |
| Trivy (Filesystem) | boostsecurityio/trivy-fs | ✅ | TRIVY_FS_ARGS | Scans the project filesystem for vulnerable open-source dependencies. TRIVY_FS_ARGS can be set to customize the Trivy scan command. |
| Dependabot | boostsecurityio/dependabot | ✅ | DEPENDABOT_CONFIG_PATH | Integrates GitHub Dependabot for version monitoring and automatic pull requests for vulnerable dependencies. The optional DEPENDABOT_CONFIG_PATH allows specifying the path to the dependabot configuration file. |
Each scanner comes with unique capabilities, giving organizations flexibility in choosing the right tool for their ecosystem. BoostSecurity supports both in-house and third-party scanners for maximum coverage.
Supported Source Code Management Systems (SCMs)¶
BoostSecurity’s SCA scanning capabilities are designed to be platform-agnostic, supporting integrations with all major SCM providers, including:
- GitHub
- GitLab
- Bitbucket
- Azure DevOps
The scanning logic and configuration approach remains largely consistent across SCMs, ensuring a unified experience regardless of where your code is hosted. Events such as pull requests, merges to default (main) branches, or dependency file changes can all trigger scans, depending on the configuration.
Default Scanning Behavior¶
Most scanners support being triggered on two key workflows:
- On Main: Triggers a scan when code is merged or pushed to the default branch.
- On Pull Request: Triggers a scan for code changes before merge, helping reviewers assess dependency risk.
| Scanner | On Main | On Pull Request |
|---|---|---|
| BoostSecurity SCA | ✅ | ✅ |
| Bundler-Audit | ✅ | ✅ |
| Nancy | ✅ | ✅ |
| NPM Audit | ✅ | ✅ |
| OSV Scanner | ✅ | ✅ |
| Safety | ✅ | ✅ |
| Snyk SCA | ✅ | ✅ |
| Trivy FS | ✅ | ✅ |
| Dependabot | ✅ | ☑️ (GitHub-only) |
Scanner Behavior and Coverage¶
Each scanner in BoostSecurity has a unique way of detecting vulnerabilities and interacting with your project structure. The BoostSecurity platform:
- Analyzes dependency files (e.g.,
package-lock.json,poetry.lock, etc.) to detect vulnerabilities - Normalizes findings across different ecosystems and scanners into a consistent, unified format
- Integrates with CI/CD workflows to run scans on pull requests, branch pushes, or scheduled intervals
- Supports multiple scanners, including Boost's SCA scanner, OSV, and other community tools
- Allows configuration via
.boost/config.ymlto customize scanning behavior per repository
This approach ensures broad visibility into open-source risk while maintaining flexibility across diverse tech stacks.
Intelligent Deduplication¶
BoostSecurity intelligently deduplicates results across multiple scanners. If several tools report the same vulnerability (e.g., CVE-2023-1234 in lodash@4.17.21), only one consolidated entry appears in the UI or exported reports.
This ensures a cleaner developer experience with no noisy duplication or conflicting severity ratings.
BoostSecurity’s flexible architecture allows you to combine scanners for broader or deeper coverage across polyglot repos and microservices.
Provisioning and Configuration¶
Provisioning SCA scanners is done at the Source Code Management level. This means you can choose different scanner configurations for each resource depending on your security posture.