Software Composition Analysis Tools
Software Composition Analysis (SCA) tools for identifying security vulnerabilities in open source components, third-party libraries, and software dependencies.
Browse 152 software composition analysis tools
FEATURED
USE CASES
NodeSecure is a cybersecurity project that provides security monitoring and analysis capabilities specifically designed for Node.js applications.
A tool to prevent prototype poisoning in JSON parsing.
Checkov is a static analysis tool that scans infrastructure as code and performs software composition analysis to detect security misconfigurations and vulnerabilities in cloud infrastructure and dependencies.
An open-source framework that detects and prevents dependency confusion attacks across multiple package management systems and development environments.
AuditJS is a command-line tool that scans JavaScript projects for known vulnerabilities and outdated packages in npm dependencies using the OSS Index API or Nexus IQ Server.
Grafeas is an API specification for managing and auditing metadata about software resources across the software supply chain.
GuardDog is a CLI tool that identifies malicious PyPI and npm packages using heuristics-based analysis of source code and metadata.
Software Composition Analysis Tools FAQ
Common questions about Software Composition Analysis tools, selection guides, pricing, and comparisons.
Modern SCA tools analyze the full dependency tree, including transitive (indirect) dependencies that your direct dependencies pull in. A typical application may have 50 direct dependencies but 500+ transitive ones. SCA tools map this entire tree, flag vulnerabilities at any depth, and identify the upgrade path (which direct dependency you need to update to fix a transitive vulnerability).
