Skip to content

SCA

Medium — good to knowSecurity

ELI5 — The Vibe Check

SCA checks if the libraries you're using have known vulnerabilities. You didn't write the bug, but you imported it. That lodash version from 2019? It has 3 CVEs. SCA is like a product recall alert for your dependencies — 'hey, that thing you're using is broken.'

Real Talk

Software Composition Analysis identifies open-source components in your codebase and checks them against vulnerability databases (NVD, OSV). It detects known CVEs, license compliance issues, and outdated dependencies. Tools include Snyk, Dependabot, Renovate, and OWASP Dependency-Check.

When You'll Hear This

"SCA flagged a critical CVE in our XML parser dependency." / "We can't ship until SCA shows zero high-severity vulnerabilities."

Related Terms

Dependabot

Dependabot is GitHub's robot that checks your dependencies for updates and security vulnerabilities, then opens PRs to fix them.

beginnerCI/CD & DevOps

SAST

SAST scans your source code for security bugs WITHOUT running it.

intermediateSecurity

SBOM

An SBOM is a complete ingredient list for your software — every library, every dependency, every version. Like food nutrition labels but for code.

intermediateSecurity

Supply Chain Security

Supply Chain Security protects the entire path from code to production — dependencies, build systems, registries, everything.

intermediateSecurity
Back to Browse Random Term

Made with passive-aggressive love by manoga.digital. Powered by Claude.