Software Composition Analysis (SCA)

Checkmarx SCA provides comprehensive coverage and highly accurate results, with full visibility into vulnerabilities, malicious code, and license risks in open-source libraries. Checkmarx analyzes one million packages each month; the company has identified more than 400,000 open-source libraries containing malicious code. Tight IDE, CLI tool, and CI/CD integration make it easy to integrate security workflows, including automatic SCA scan triggering, within existing development and deployment platforms. 

Users are provided with prioritized remediation guidance to ensure that the most critical risks are addressed first. Also included are SBOM generation and ingestion, exploitable path analysis, transitive dependency scanning, binary dependency scanning, private package scanning, a risk management dashboard, policy rules with automated actions, and comprehensive reporting.

Checkmarx’ unique exploitable path analysis is an advanced form of reachability analysis that accurately determines which vulnerable classes or functions within third-party libraries may be called by an application at runtime. By prioritizing code that is potentially exploitable when the application is published (versus other vulnerabilities that are not currently being called by the application and are thus not readily exploitable), developers can remediate the most dangerous libraries first.

Software Composition Analysis is a proactive approach to securing third-party code which is in line with modern security principles of continuous monitoring and early detection of potential threats. By preemptively addressing security risks and compliance issues, developers can focus on coding and continue to confidently leverage open source libraries and components, while ensuring applications are secure.

Software Composition Analysis (SCA) differs from traditional security testing by focusing on identifying vulnerabilities and malicious code in open-source and other third-party components within an application. Rather than testing for flaws in proprietary code, SCA examines dependencies for known security risks, licensing issues, and outdated versions, enabling faster remediation of vulnerabilities in widely used external libraries. 

Open-source components are widely used in modern software development, yet they can introduce vulnerabilities or malicious code into applications. Software Composition Analysis (SCA) tools identify these risks early, enabling quick remediation and empowering developers to continue leveraging open-source components confidently. This approach supports developer productivity while ensuring the security and stability of the codebase.

Static application security testing (SAST) scans proprietary code written by your developers, while software composition analysis (SCA) scans open source libraries and third-party components.

An SBOM is a file that helps organizations see an application’s makeup to assess and address the security risk across all its underlying components.

Checkmarx SCA easily integrates into your CI/CD pipeline, works seamlessly with a wide variety of CI/CD tools, including Jenkins, Azure DevOps, GitHub Actions, and TeamCity.

Checkmarx SCA is available on the Checkmarx One platform. Developers can get it free within JetBrains’ IntelliJ IDEA Ultimate and Visual Studio Code plugins.