Safeguard.sh Documentation Center

Software Composition Analysis (SCA)

Find and prioritize known vulnerabilities, license risks, and malicious packages across your full dependency graph — with reachability-aware triage and a single findings model.

Software Composition Analysis

Modern applications are mostly other people's code. Safeguard's SCA inventories every open-source component you ship — direct and transitive — resolves each against a continuously updated vulnerability knowledge graph, and prioritizes what actually matters using reachability and exploitability signals instead of drowning you in raw CVE counts.

What it does

CapabilityWhat it means
Full dependency inventoryResolves the complete dependency graph from your manifests and lockfiles, including deeply nested transitive dependencies. See Deep Dependency Scanning.
Known-vulnerability matchingMatches every resolved package + version against CVE/GHSA advisories, enriched with EPSS and CISA KEV so exploited-in-the-wild issues rise to the top.
Reachability-aware triageCross-references findings with function-level reachability so a CVE in code you never call is de-prioritized — not treated the same as a reachable sink.
License governanceFlags license obligations and incompatibilities across the graph.
Malicious-package detectionSurfaces typosquats, dependency confusion, and known-malicious packages. For inline, install-time blocking see the Package Firewall.

How it fits together

SCA is one engine in Safeguard's unified platform. Its findings land in the same tenant-isolated findings model (finding_type: sca) as every other engine, share one severity scale and status lifecycle, and flow through AutoTriage for cross-scanner deduplication and noise reduction — with the standing guarantee that malware and secret findings are never suppressed by reachability.

Supported ecosystems

npm / pnpm / Yarn, PyPI, Maven / Gradle, Go modules, Cargo, NuGet, Composer, and Ruby Bundler — plus components discovered inside container image layers. Manifests and lockfiles are both honored so resolution matches what actually installs.

Findings produced

Each SCA finding carries the vulnerable component and version, the CVE/GHSA identifiers, severity (with EPSS/KEV context), the full transitive path from your project root to the vulnerable package, the reachability verdict where available, and the safe upgrade target. Findings are queryable in the app alongside every other engine's output.

Enabling SCA

SCA runs as part of a project scan and is administrator-toggleable through Safeguard's feature-flag controls. Configure it from the integrations surface, then scan from CI, the CLI, or on a schedule.

safeguard scan --project my-api

On this page