Docs/Scanning/SCA

SCA

Dependency scanning and supply chain risk detection - find vulnerable third-party packages before they reach production.

How It Works

Software Composition Analysis (SCA) identifies the third-party libraries and open-source packages your application depends on and checks whether any carry known security vulnerabilities. The majority of code in any production service comes from the open-source ecosystem, making dependency risk one of the most important areas to monitor.

DryRun Security analyzes your dependency manifests and lock files as part of DeepScan, detecting when dependencies carry known vulnerabilities. Because this analysis covers the entire codebase, you get a comprehensive view of supply chain risk rather than only seeing what changed in a single commit.

Beyond simple CVE matching, DryRun Security evaluates how a vulnerable dependency is actually used in your code. A vulnerable function in a library you only use for unrelated functionality presents a different risk profile than one you call directly with user-supplied input. This context-aware assessment helps your team prioritize remediation based on actual exploitability rather than CVSS scores alone.

What's Checked

DryRun Security scans package manifests and lock files across all major ecosystems:

  • JavaScript / Node.js - package.json, package-lock.json, yarn.lock
  • Python - requirements.txt, Pipfile, pyproject.toml, poetry.lock
  • Ruby - Gemfile, Gemfile.lock
  • Java / Kotlin - pom.xml, Gradle build files
  • Go - go.mod, go.sum
  • Rust - Cargo.toml, Cargo.lock
  • .NET - *.csproj, packages.config

Each dependency is checked against known vulnerability databases, matching specific CVEs to affected version ranges.

SCA is performed as part of DeepScan, identifying vulnerable dependencies across the entire codebase. This provides a comprehensive baseline of dependency risk across your repositories.

How to View Findings

All SCA findings from DeepScan are tracked in the Risk Register for centralized triage and prioritization. You can filter by the SCA agent type to isolate dependency-related risk from code-level findings.

DryRun Security's dependency analysis also feeds into SBOM (Software Bill of Materials) generation. You can download a complete inventory of your software dependencies for compliance and audit purposes from the SBOM Generation page.