Coana Reachability Analysis is a Software Composition Analysis (SCA) tool that uses static analysis techniques to determine whether vulnerabilities in application dependencies are actually reachable by the application code. The tool performs control-flow analysis to build a call graph model of the analyzed program, which allows it to identify which code paths are reachable and which are dead code. The analysis examines both direct and transitive dependencies to provide comprehensive coverage. It uses language-specific analysis tailored for each programming language to handle language-specific features. The tool is designed to over-approximate reachability, marking vulnerabilities as reachable when in doubt to avoid false negatives. Coana operates as a zero-configuration tool that automatically identifies project types, workspace configurations, and source files without requiring manual setup. The analysis runs on-premises using a CLI, with the code scan taking place on the user's machine so source code never leaves the local environment. The tool can run without internet access if needed. The tool integrates with CI/CD environments for regular scanning. It includes a dedicated security team that investigates new vulnerabilities to identify the specific functions, methods, and properties affected, creating specifications used by the static analysis engine. Coana continues to monitor applications over time, alerting users to new reachable vulnerabilities and previously unreachable vulnerabilities that become reachable as code changes.