SCA, Software Composition Analysis
Identify and manage the risk in your open-source and third-party dependencies, known vulnerabilities, license compliance, transitive risk.
A typical modern application is 80–90% third-party code. SCA is the only practical way to keep that surface visible. It produces a component inventory, maps known vulnerabilities to those components, and triages which ones are actually exploitable in your specific application, the difference between a 4,000-finding scanner output and a prioritised remediation list engineering can deliver against.
Beyond vulnerability tracking, SCA carries license-compliance value. Many open-source licenses carry legal obligations (attribution, source disclosure, downstream restrictions) that get lost when components are pulled in by transitive dependency. SCA surfaces those obligations before they become legal risk.
SCA is typically the easiest source-code service to integrate continuously, it runs against build manifests rather than the codebase, and modern tooling fits into most CI/CD pipelines with minimal friction.
What's at stake.
Supply-chain risk is now everyone's problem
Log4Shell, XZ Utils, polyfill.io, recent years have made it clear that a single open-source component can become an organisation-wide incident overnight. SCA is the inventory you need to even know whether you are affected.
License compliance has teeth
GPL/AGPL obligations have been litigated. License-incompatible distribution can carry material commercial and legal cost, and is usually invisible to engineering until SCA is run.
What we test.
Component analysis
- Known vulnerability detection (CVE, GHSA)
- Component scanning across direct and transitive dependencies
- Dependency mapping and supply-chain visualisation
- Container and base-image inventory
Compliance & monitoring
- License compliance and obligation analysis
- Security risk assessment and exploitability triage
- Mitigation and remediation guidance
- Continuous monitoring via CI/CD
A structured, intelligence-led path through every engagement.
Every engagement follows the same disciplined path through the Velocity platform, so quality, traceability, and reporting are consistent across teams.
Scoping
Define assets, environments, Rules of Engagement, and acceptance criteria with the technical and security stakeholders.
Execution
Manual and tool-assisted testing by CREST-accredited consultants, with evidence captured at each step.
Validation
Every finding is reproduced, risk-rated under CVSS, and confirmed by a second consultant before reporting.
Reporting
Cryptographically signed reports with test-case traceability, severity ratings, reproduction steps, and remediation guidance.
Debrief & Retest
Stakeholder walk-through of findings, prioritisation support, and a retest cycle on remediated issues.
Mapped to recognised baselines.
Common buyer questions.
Can SCA produce an SBOM? +
Yes, Software Bill of Materials in CycloneDX or SPDX format. Increasingly required by enterprise customers and regulators as a deliverable for software supply-chain assurance.
Do you check container images? +
Yes. Container engagements typically combine SCA on the application dependencies with container-image SBOM and base-image vulnerability analysis.
How do you handle false positives? +
Raw SCA output flags every known CVE in every component, regardless of whether the vulnerable code path is actually reached. Consultant triage filters these down to exploitable findings, the only ones that should consume engineering time.
Test Your Defences Against Adversarial Expertise
Talk to a CREST-accredited consultant about your next penetration testing engagement.