Checkmarx One

Software Composition
Analysis (SCA)

Q: SCA vs. SAST Scanning?

Static application security testing (SAST) scans proprietary code written by your developers, while software composition analysis (SCA) scans open-source libraries and third-party components.

Q: What is a software bill of materials (SBOM)?

An SBOM is a file that helps organizations see an application’s makeup to assess and address the security risk across all its underlying components.

Q: Can I integrate SCA into my CI/CD pipeline?

Checkmarx SCA easily integrates into your CI/CD pipeline, works seamlessly with a wide variety of CI/CD tools, including Jenkins, Azure DevOps, GitHub Actions, and TeamCity.

Q: How can I try Checkmarx SCA?

Checkmarx SCA is available on the Checkmarx One platform. Developers can get it free within JetBrains’ IntelliJ IDEA Ultimate and Visual Studio Code plugins.

Identify, prioritize, and remediate open-source risk in your applications, including vulnerabilities, malicious code, and license risks.

Get a Demo → Jump to Key Benefits

Everything You Need to Mitigate Open-Source Risk

Checkmarx provides comprehensive SCA functionality with unparalleled accuracy.

Unmatched Scan Accuracy

Highest Accuracy in the Industry

In a recent third-party competitive evaluation of OSS vulnerability detection, Checkmarx came out far ahead across all key metrics, including zero false positives (versus the competitor’s FP rate of 10%).

See the Accuracy in a Demo

Supply Chain Depth

Transitive Dependency Scanning

Comprehensive discovery and scanning of all directly and transitively referenced OSS and private packages – to unlimited depth – including those in on-prem and private JFrog Artifactory registries.

See the San Depth in a Demo

Malicious Open Source Code Detection

Malicious Package Protection

Checkmarx’ industry-leading proprietary database of more than 420,000 malicious packages enables you to identify and remediate any open-source libraries in your applications known to contain malicious code.

See MPP in Action

Risk Prioritization

Effective Reachability Analysis

Reduce noise and prioritize remediation efforts by focusing on vulnerable OSS code that may potentially execute, based on an analysis of all potential call paths to unsafe functions. Supports a variety of coding languages.

See Reachability Analysis in a Demo

AI-guided Remediation

Developer Experience Upgrade

Dramatically ease and expedite mitigation efforts with specific and actionable remediation guidance, including the expected effort and impact of each fix. Get AI recommendations for more secure alternative packages.

View AI-guided Remediation in Action

Pipeline Governance

Policy Rules with Automated Actions

Policies based on package characteristics, CVSS (up to 4.0) vulnerability severity, reachability, malicious code detection, and licensing issues can be configured to send alerts, prevent pull requests, and break builds.

See the Governance in a Demo

Compliance Assurance

License Risk Management

Ensure awareness and tracking of all relevant third-party code license requirements and restrictions, to avoid potential compliance issues and other legal complications.

See License Risk Management in Demo

Software Supply Chain Governance

Software Bill of Materials (SBOM)

Generate, share, ingest, and manage SBOMs in industry-standard formats, to inventory the components of your applications and more easily comply with relevant regulatory, policy, and licensing requirements.

See SBOM Capacity in Demo

Checkmarx Software Composition Analysis

The Most Accurate and Automated SCA

Better identify, manage, and remediate open-source risk as an integrated part of your SDLC.

Request a Demo →

What’s in it for you

How Organizations Benefit From Checkmarx SCA

Checkmarx One’s SCA provides a comprehensive solution for CISOs, AppSec teams, and Developers.

Minimize Open-Source Risk

Confidently utilize open-source software to launch new features and applications faster, with automated SCA scans that don’t interrupt your developers’ workflows. 

See it in Your Custom Demo →

Prioritize Remediation Efforts

By correlating insights and focusing on exploitable vulnerabilities, Checkmarx SCA helps deliver better business outcomes, while saving AppSec teams and developers valuable time and energy.

See it in Your Custom Demo →

Build #DevSecTrust 

Developers can create secure applications faster with integrated application security in their existing tools and workflows.

See it in Your Custom Demo →

Customer Stories

Why the World’s Top Teams Choose Checkmarx

“We’ve seen an 80% noise reduction — our engineers now focus on the high-quality risks that matter.”

Explore Best Buy Case Study

“By far the best AppSec tooling decision we have made”

“Checkmarx gave us a 90% reduction in vulnerabilities in just a few months.”

“Unifying our AppSec tools with Checkmarx gave us a single source of truth.”

“With 2.1B lines of code scanned monthly, Checkmarx gives us the scale and speed we need.”

“Checkmarx fits seamlessly into our DevOps pipelines—it’s a truly scalable solution.”

“From a buyer perspective, Checkmarx’s approach offers a structured and role-aware entry point into agentic security. ”

“Incorporating Checkmarx’s technology has revolutionized our development culture ”

“Checkmarx One made our security team and developers life easier.”

“The success of our AppSec program can be directly attributed to the tooling, processes and support provided by the Checkmarx managed services.”

“Bringing ASPM context directly into the IDE reflects a forward-looking approach to prioritizing security efforts based on risk earlier in the development process.”

Checkmarx Software Composition Analysis

Frequently Asked Questions

What differentiates Checkmark’s SCA tool from others?

Checkmarx SCA provides comprehensive coverage and highly accurate results, with full visibility into vulnerabilities, malicious code, and license risks in open-source libraries. Checkmarx analyzes one million packages each month; the company has identified more than 420,000 open-source libraries containing malicious code. Tight IDE, CLI tool, and CI/CD integration make it easy to integrate security workflows, including automatic SCA scan triggering, within existing development and deployment platforms.

Users are provided with prioritized remediation guidance to ensure that the most critical risks are addressed first. Also included are SBOM generation and ingestion, exploitable path analysis, transitive dependency scanning, binary dependency scanning, private package scanning, a risk management dashboard, policy rules with automated actions, and comprehensive reporting.

SCA vs. SAST Scanning?

What is exploitable path analysis?

Checkmarx’ unique exploitable path analysis is an advanced form of reachability analysis that accurately determines which vulnerable classes or functions within third-party libraries may be called by an application at runtime. By prioritizing code that is potentially exploitable when the application is published (versus other vulnerabilities that are not currently being called by the application and are thus not readily exploitable), developers can remediate the most dangerous libraries first.

What is a software bill of materials (SBOM)?

How can a Software Composition Analysis tool improve security?

Software Composition Analysis is a proactive approach to securing third-party code which is in line with modern security principles of continuous monitoring and early detection of potential threats. By preemptively addressing security risks and compliance issues, developers can focus on coding and continue to confidently leverage open-source libraries and components, while ensuring applications are secure.

Can I integrate SCA into my CI/CD pipeline?

How does SCA differ from traditional security testing?

Software Composition Analysis (SCA) differs from traditional security testing by focusing on identifying vulnerabilities and malicious code in open-source and other third-party components within an application. Rather than testing for flaws in proprietary code, SCA examines dependencies for known security risks, licensing issues, and outdated versions, enabling faster remediation of vulnerabilities in widely used external libraries.

How can I try Checkmarx SCA?

Why is SCA important in software development?

Open-source components are widely used in modern software development, yet they can introduce vulnerabilities or malicious code into applications. Software Composition Analysis (SCA) tools identify these risks early, enabling quick remediation and empowering developers to continue leveraging open-source components confidently. This approach supports developer productivity while ensuring the security and stability of the codebase.