Software Composition Analysis (SCA)¶
Software Composition Analysis (SCA) is a security practice that automates the process of identifying open-source components and third-party dependencies used in a codebase, then checking them for known vulnerabilities, licensing issues, and versioning problems. SCA tools analyze artifacts like package managers, manifest files, or lockfiles (e.g., package.json, pom.xml, requirements.txt) to detect insecure or outdated libraries and help teams respond before issues reach production.
Why SCA Is Important in Modern DevSecOps¶
SCA plays a critical role in DevSecOps by:
- Shifting security left — allowing vulnerabilities to be caught early in the development lifecycle
- Improving visibility into dependency risks across repositories and teams
- Automating compliance with open-source licenses and organizational security policies
- Reducing attack surfaces that emerge from transitive or nested dependencies
Ultimately, SCA helps organizations maintain security hygiene while accelerating deployment speeds.
How BoostSecurity Enables SCA Scanning¶
BoostSecurity integrates SCA scanning into your development workflows to automatically inspect source code repositories for insecure dependencies and vulnerable libraries.
Supported Scanners¶
BoostSecurity offers an extensive suite of Software Composition Analysis (SCA) scanners to help engineering and security teams detect vulnerabilities in open-source dependencies. These scanners analyze lock files, manifests, and filesystem content to flag known security issues using curated vulnerability databases.
| Scanner | Registry Module Name | Pull Request Flow | Description |
|---|---|---|---|
| BoostSecurity SCA | boostsecurityio/boost-sca | ✅ | BoostSecurity’s native SCA scanner that leverages several open-source and in-house checks with curated security rules. Supported package managers |
| Snyk | boostsecurityio/snyk-test | ✅ | The Snyk module scans the project package dependencies for vulnerabilities, using the snyk Command Line Interface (CLI) tool with command test (snyk test) for SCA. Supported package managers |
| OSV Scanner | boostsecurityio/osv-scanner | ✅ | Uses the Open Source Vulnerabilities (OSV) database to detect known vulnerabilities in project dependencies. Supported package managers |
| Bundler Audit | boostsecurityio/bundler-audit | ✅ | The bundler audit module scans the Ruby project's dependencies for vulnerabilities using the bundler-audit scanner. |
| NPM Audit | boostsecurityio/npm-audit | ✅ | The npm audit module scans the Nodejs project's dependencies for vulnerabilities, using the npm audit scanner. |
| Safety | boostsecurityio/safety | ✅ | The Safety module scans the Python project's dependencies for vulnerabilities using the safety scanner. |
| Nancy | boostsecurityio/nancy | ✅ | The Nancy module scans the GoLang project's dependencies for vulnerabilities using the Nancy scanner. |
| Trivy (Filesystem) | boostsecurityio/trivy-fs | ✅ | Scans the project filesystem for vulnerable open-source dependencies. Supported package managers |
| Dependabot | boostsecurityio/dependabot | ✅ | Integrates GitHub Dependabot for version monitoring and automatic pull requests for vulnerable dependencies. Supported package managers |
Each scanner comes with unique capabilities, giving organizations flexibility in choosing the right tool for their ecosystem. BoostSecurity supports both in-house and third-party scanners for maximum coverage.
Supported Source Code Management Systems (SCMs)¶
BoostSecurity’s SCA scanning capabilities are designed to be platform-agnostic, supporting integrations with all major SCM providers, including:
- GitHub
- GitLab
- Bitbucket
- Azure DevOps
The scanning logic and configuration approach remains largely consistent across SCMs, ensuring a unified experience regardless of where your code is hosted. Events such as pull requests, merges to default (main) branches, or dependency file changes can all trigger scans, depending on the configuration.
Default Scanning Behavior¶
Most scanners support being triggered on two key workflows:
- On Main: Triggers a scan when code is merged or pushed to the default branch.
- On Pull Request: Triggers a scan for code changes before merge, helping reviewers assess dependency risk.
| Scanner | On Main | On Pull Request |
|---|---|---|
| BoostSecurity SCA | ✅ | ✅ |
| Bundler-Audit | ✅ | ✅ |
| Nancy | ✅ | ✅ |
| NPM Audit | ✅ | ✅ |
| OSV Scanner | ✅ | ✅ |
| Safety | ✅ | ✅ |
| Snyk SCA | ✅ | ✅ |
| Trivy FS | ✅ | ✅ |
| Dependabot | ✅ | ☑️ (GitHub-only) |
Scanner Behavior and Coverage¶
Each scanner in BoostSecurity has a unique way of detecting vulnerabilities and interacting with your project structure. The BoostSecurity platform:
- Analyzes dependency files (e.g.,
package-lock.json,poetry.lock, etc.) to detect vulnerabilities - Normalizes findings across different ecosystems and scanners into a consistent, unified format
- Integrates with CI/CD workflows to run scans on pull requests, branch pushes, or scheduled intervals
- Supports multiple scanners, including Boost's SCA scanner, OSV, and other community tools
- Allows configuration via
.boost/config.ymlto customize scanning behavior per repository
This approach ensures broad visibility into open-source risk while maintaining flexibility across diverse tech stacks.
Intelligent Deduplication¶
BoostSecurity intelligently deduplicates results across multiple scanners. If several tools report the same vulnerability (e.g., CVE-2023-1234 in lodash@4.17.21), only one consolidated entry appears in the UI or exported reports.
This ensures a cleaner developer experience with no noisy duplication or conflicting severity ratings.
BoostSecurity’s flexible architecture allows you to combine scanners for broader or deeper coverage across polyglot repos and microservices.
Provisioning and Configuration¶
Provisioning SCA scanners is done at the Source Code Management level. This means you can choose different scanner configurations for each resource depending on your security posture.