World’s First Delphi SCA with SBOM Support

DerScanner Welcomes SBOMs for Embarcadero RAD Studio Projects (Delphi)

We’re excited to announce a major new capability in DerScanner: SBOM generation for Embarcadero RAD Studio projects written in Delphi. This update makes it easier than ever to meet modern compliance requirements if your team builds with RAD Studio.

What is Software Composition Analysis?

Software Composition Analysis (SCA) is a security practice that automatically identifies all third-party and open-source components used in your application. SCA tools scan your codebase to create a complete inventory of dependencies, check each component against vulnerability databases (CVEs), analyze license compliance risks, and generate a Software Bill of Materials (SBOM).

For Delphi developers, SCA addresses a critical gap: while modern languages like JavaScript and Python have mature SCA ecosystems, Delphi projects have historically lacked native tooling for component visibility. DerScanner's Delphi SCA is the first dedicated solution designed specifically for the Delphi ecosystem.

 

Built for Compliance, Designed for Developers

With SBOM (Software Bill of Materials) generation now available for Delphi projects, DerScanner helps you align with key regulatory and security frameworks, including:

1. CRA
2. FDA
3. NIS2
4. DORA
5. ISO 27001
6. PCI DSS
7. etc

If you love Embarcadero products as much as we do, you no longer have to choose between productivity and compliance. DerScanner brings both together.

How It Works

SBOM generation is integrated into DerScanner’s Software Composition Analysis (SCA) capability and is simple to trigger:

• Provide your source code.
• Include the dependencies directory.
• Specify the RAD Studio version you’re developing with.

That’s it. DerScanner takes care of the rest.

Standardized, Actionable Results

Once the scan is complete:

• Your SBOM is generated in CycloneDX format
• The file is available for download directly from the Overview page
• The output is ready to be used for audits, compliance reporting, and internal security reviews
  
  

 

Supply Chain Security Included

While we continue expanding full SCA coverage for Delphi, Supply Chain Security is already active. This means that potential supply chain threats are continuously monitored and you’ll be notified if risks are detected

Security is about timely action.

 

Delphi, Meet Modern Security

This release is another step in our mission to support real-world development ecosystems with practical, compliance-ready security tooling. Delphi and RAD Studio developers can now generate SBOMs with confidence and without friction.

If you’re already using DerScanner, try it today. If not — now’s a great time to see how effortless compliance can be :)

 

See DerScanner SCA in Action

Watch how DerScanner simplifies SBOM management and helps detect supply chain risks through Software Composition Analysis. Also learn with Ian Barker and Valerie Kim how to navigate complex dependency trees, identify vulnerabilities, and get actionable remediation advice:

 

 

Frequently Asked Questions

What is Software Composition Analysis (SCA)?

Software Composition Analysis is a security practice that identifies all third-party and open-source components in your application, checks them for known vulnerabilities (CVEs), analyzes license compliance, and generates a Software Bill of Materials (SBOM). It helps organizations understand and manage risks in their software supply chain.

 

Why do Delphi developers need SCA?

Delphi applications often include third-party components, libraries, and packages that can contain security vulnerabilities or licensing issues. Until now, there was no dedicated SCA tool for Delphi — developers had to rely on manual audits or incomplete solutions that couldn't parse Delphi code natively.

 

What is an SBOM and why is it required?

A Software Bill of Materials (SBOM) is a complete inventory of all components in your software — similar to an ingredients list for food products. Regulations like the EU Cyber Resilience Act (CRA) and U.S. Executive Order 14028 now require SBOMs for software sold to government agencies and critical infrastructure operators.

 

Does DerScanner SCA work with GetIt packages?

Yes, DerScanner Delphi SCA can identify components installed via GetIt Package Manager, as well as manually added libraries, third-party commercial components, and open-source packages embedded in your Delphi projects.

 

What file formats does DerScanner support for SBOM export?

DerScanner generates SBOMs in standard formats including CycloneDX and SPDX, which are accepted by compliance auditors and integrate with other security tools in your DevSecOps pipeline.

 

Can I use DerScanner SCA for legacy Delphi projects?

Yes, DerScanner analyzes both legacy VCL applications and modern FMX projects across all supported Delphi versions. This helps you understand the component landscape of older codebases that may have accumulated dependencies over many years.

 

How does Delphi SCA fit with DerScanner's other tools?

 

DerScanner provides a complete Delphi security suite: SAST for vulnerability detection in your own code, Code Quality Analysis for maintainability, SBOM generation for compliance, and now SCA for third-party component analysis — all with native Delphi parsing built in partnership with Embarcadero.