Software Composition Analysis (SCA)
Find and prioritize known vulnerabilities, license risks, and malicious packages across your full dependency graph — with reachability-aware triage and a single findings model.
Software Composition Analysis
Modern applications are mostly other people's code. Safeguard's SCA inventories every open-source component you ship — direct and transitive — resolves each against a continuously updated vulnerability knowledge graph, and prioritizes what actually matters using reachability and exploitability signals instead of drowning you in raw CVE counts.
What it does
| Capability | What it means |
|---|---|
| Full dependency inventory | Resolves the complete dependency graph from your manifests and lockfiles, including deeply nested transitive dependencies. See Deep Dependency Scanning. |
| Known-vulnerability matching | Matches every resolved package + version against CVE/GHSA advisories, enriched with EPSS and CISA KEV so exploited-in-the-wild issues rise to the top. |
| Reachability-aware triage | Cross-references findings with function-level reachability so a CVE in code you never call is de-prioritized — not treated the same as a reachable sink. |
| License governance | Flags license obligations and incompatibilities across the graph. |
| Malicious-package detection | Surfaces typosquats, dependency confusion, and known-malicious packages. For inline, install-time blocking see the Package Firewall. |
How it fits together
SCA is one engine in Safeguard's unified platform. Its findings land in the same tenant-isolated findings model (finding_type: sca) as every other engine, share one severity scale and status lifecycle, and flow through AutoTriage for cross-scanner deduplication and noise reduction — with the standing guarantee that malware and secret findings are never suppressed by reachability.
Supported ecosystems
npm / pnpm / Yarn, PyPI, Maven / Gradle, Go modules, Cargo, NuGet, Composer, and Ruby Bundler — plus components discovered inside container image layers. Manifests and lockfiles are both honored so resolution matches what actually installs.
Findings produced
Each SCA finding carries the vulnerable component and version, the CVE/GHSA identifiers, severity (with EPSS/KEV context), the full transitive path from your project root to the vulnerable package, the reachability verdict where available, and the safe upgrade target. Findings are queryable in the app alongside every other engine's output.
Enabling SCA
SCA runs as part of a project scan and is administrator-toggleable through Safeguard's feature-flag controls. Configure it from the integrations surface, then scan from CI, the CLI, or on a schedule.
safeguard scan --project my-apiRelated
- Deep Dependency Scanning — 100-level transitive resolution.
- Reachability Analysis — is the vulnerable function actually called?
- Package Firewall — block malicious packages inline at install time.
- AutoTriage — cross-scanner dedup and noise reduction.
- Continuous Scanning — re-scan on every advisory-feed update.
Vulnerability Prioritization (Reachability Analysis)
How Safeguard uses call-graph reachability, EPSS, KEV, and runtime context to cut 60-80% of CVE noise so teams patch what actually matters.
Deep Dependency Scanning (100 Levels)
Scan dependencies 100 levels deep — 40 more than most SCA tools — to find vulnerabilities hidden in transitive dependencies.