Checkmarx One Software Composition Analysis (SCA) is a tool that identifies, prioritizes, and remediates open-source security risks in applications. The product scans for vulnerabilities, malicious code, and license compliance issues in open-source components. The tool performs transitive dependency scanning to unlimited depth, analyzing both direct and indirect package dependencies including those in on-premise and private JFrog Artifactory registries. It includes a proprietary database of over 410,000 malicious packages to detect compromised open-source libraries. The product features reachability analysis that examines call paths to unsafe functions, helping teams focus on vulnerable code that may actually execute. It provides remediation guidance with effort and impact assessments, and offers AI-based recommendations for alternative packages. Policy enforcement capabilities allow organizations to configure rules based on package characteristics, CVSS vulnerability severity (up to version 4.0), reachability status, malicious code detection, and licensing issues. These policies can trigger alerts, block pull requests, or break builds. The tool manages license risk by tracking third-party code license requirements and restrictions. It generates, ingests, and manages Software Bills of Materials (SBOMs) in industry-standard formats to support regulatory compliance and component inventory requirements.