Software Composition Analysis Tools
Software Composition Analysis (SCA) tools for identifying security vulnerabilities in open source components, third-party libraries, and software dependencies.
Browse 152 software composition analysis tools
FEATURED
USE CASES
SBOM-powered SCA platform for container & source code security scanning
A CLI tool and Go library for generating a Software Bill of Materials (SBOM) from container images and filesystems.
A centralized platform for managing open source components and automating software supply chain security.
Automate software supply chain security by blocking malicious open source components
Reverts sha1 integrity back to sha512 in lock files for enhanced security.
A dependency security scanner that identifies potential supply chain vulnerabilities by checking for available package namespace registrations across Python, JavaScript, PHP, and Maven repositories.
Package verification tool for npm with various verification and testing capabilities.
Helm plugin for cryptographically signing and verifying charts with GnuPG integration.
Preflight is a Go-based verification tool that helps organizations validate scripts and executables to prevent supply chain attacks by enabling secure self-compilation and trusted distribution methods.
npm-zoo is a curated database of known malicious NPM packages that helps developers and security researchers identify and avoid potentially harmful dependencies in their projects.
An extensible, heuristic-based vulnerability scanning tool for installed npm packages.
A Python script that scans Nexus Repository Manager for artifacts with identical names across repositories to identify dependency confusion attack vulnerabilities.
A security tool that detects potential Dependency Confusion attack vectors by identifying private package names that are not reserved on public registries.
A community effort to compile security advisories for Ruby libraries with a detailed directory structure.
Patch-level verification tool for bundler to check for vulnerable gems and insecure sources.
A tool to run YARA rules against node_module folders to identify suspicious scripts
Gamma Ray is a software that helps developers to look for vulnerabilities on their Node.js applications with a pluggable infrastructure for integration with vulnerabilities databases.
A dependency security analysis tool that identifies potential risks in project dependencies including unsafe lock files, installation scripts, obfuscated code, and dangerous shell commands.
LunaTrace is an open source supply chain security tool that monitors software dependencies for vulnerabilities and integrates with GitHub to notify developers of security issues before deployment.
A tool that safely installs packages with npm/yarn by auditing them as part of your install process.
Lint lockfiles for improved security and trust policies.
A set of tools for securing JavaScript projects against software supply chain attacks.
A command line tool that automates vulnerability scanning of Ruby gems and Rails stack components by identifying CVE vulnerabilities in detected technology versions.
Software Composition Analysis Tools FAQ
Common questions about Software Composition Analysis tools, selection guides, pricing, and comparisons.
Modern SCA tools analyze the full dependency tree, including transitive (indirect) dependencies that your direct dependencies pull in. A typical application may have 50 direct dependencies but 500+ transitive ones. SCA tools map this entire tree, flag vulnerabilities at any depth, and identify the upgrade path (which direct dependency you need to update to fix a transitive vulnerability).
Yes. Out of 24 software composition analysis tools listed on CybersecTools, 23 are free and 1 are commercial. Free tools work well for small teams, testing, and budget-conscious organizations. Commercial tools typically add enterprise features, dedicated support, and SLA guarantees.
