Software Composition Analysis (SCA) Tool
DerScanner's Software Composition Analysis tool scans codebase for vulnerable packages, license risks, and supply chain threats – automatically generating SBOMs and scoring package health.
DerScanner is named a notable vendor by Forrester in The Software Composition Analysis Landscape Report Q2 2024
What Is Software Composition Analysis (SCA)?
Software composition analysis (SCA) is a method for identifying open source and third-party components in a codebase and checking them against vulnerability databases. SCA tools detect known CVEs in direct and transitive dependencies, flag license compliance risks, and generate Software Bills of Materials (SBOMs) – structured inventories of every component in the application.
As software supply chain attacks grow more frequent, SCA has become a required practice under regulations like Executive Order 14028, the EU Cyber Resilience Act, and PCI DSS 4.0.1. DerScanner's software composition analysis scores package health, detects supply chain attack patterns (typosquatting, MavenGate, starjacking), and uses hybrid SCA+SAST reachability analysis to confirm whether a vulnerability is actually exploitable in the code.
Core Capabilities of DerScanner SCA
Simple SBOM Generation
DerScanner automatically generates SBOMs in CycloneDX format from source code for JavaScript/TypeScript, PHP, Python, Ruby, C#, C/C++, Go, Java/Kotlin/Scala, Rust, Swift, and Erlang. Ready to be shared with customers and auditors directly.
Dependency Tree Visualization
DerScanner's Dependency Tree Graph maps project's dependency structure visually, highlighting where vulnerable packages sit.
Easily trace risks from transitive dependencies back to the packages.
Mitigate Supply Chain Risks with Package Health Scoring
DerScanner's health scoring combines 8 security metrics into a single score. It tracks maintenance activity, contributor patterns, known vulnerabilities, and supply chain attack signals – typosquatting, MavenGate exploitation, and starjacking attempts. The result is a clear risk/reward assessment for every package in a dependency tree.
Hybrid SCA+SAST Analysis for Precise Vulnerability Detection
DerScanner’s hybrid mode combines software composition analysis testing with static analysis to confirm whether a CVE is actually reachable.
It identifies vulnerable imports and function calls, constructs a call graph from transitive dependencies to your main code, and proves or disproves exploitability.
CVE Detection & Dependency Scanning
Cross-references packages against NVD, GitHub Security Advisories, and proprietary databases. Maps full dependency tree identifying exactly where vulnerable packages sit. SCA scanning tool covers transitive dependencies that manual reviews miss.
Package Health Scoring
Proprietary multi-factor score that assesses security and reliability of each open-source package. Evaluates 8 metrics including maintenance activity, known vulnerabilities, and supply chain attack indicators (typosquatting, MavenGate, starjacking). Helps you decide whether to use, replace, or monitor a dependency.
How it works?
How DerScanner SCA Works
DerScanner automates the entire software composition analysis process from code upload to remediation guidance
Upload or Connect
Upload your project source code or connect your GitHub, GitLab, or CI/CD repository. DerScanner also accepts pre-built SBOM files in CycloneDX format.
Automated Discovery
DerScanner scans manifest files and lock files to discover all direct and transitive dependencies across your project.
CVE Correlation
Each dependency is cross-referenced against NVD, GitHub Security Advisories, MITRE CWE, and proprietary databases to identify known vulnerabilities.
Supply Chain Analysis
License compliance analysis flags GPL, AGPL, and other copyleft risks. Supply chain analysis scores package health and detects attack patterns.
SBOM & Remediation
DerScanner generates SBOM files, package health scores, and remediation guidance. Reports are available in PDF, HTML, CSV, and JSON formats for auditors and developers.
Plus, with our free service at HealthyPackage.ai, you can quickly vet the packages for your project and ensure they're safe to use.
SBOM
Compliance – Meet
Regulatory Requirements
Compliance with software supply chain regulations is mandatory now. All of them require organizations to know exactly what is inside their software and to track vulnerabilities across the entire supply chain on an ongoing basis. Most SCA tools cover only a handful of mainstream language ecosystems and stop at direct dependencies.
DerScanner generates CycloneDX SBOMs for 12+ language ecosystems, maps the full dependency tree (direct and transitive), correlates findings against multiple CVE databases, and produces audit-ready reports in PDF, HTML, JSON, and CSV. One scan covers the requirements of every regulation listed below.
US Executive Order 14028
Requires SBOMs for software sold to US federal agencies. DerScanner generates CycloneDX SBOMs automatically on every scan, ready for procurement compliance reviews.
EU Cyber Resilience Act (CRA)
Mandates SBOM documentation for digital products sold in the EU. Vulnerability reporting starts September 2026; full compliance by December 2027. Fines reach 2.5% of global turnover.
DORA (Digital Operational Resilience Act)
Applies to EU financial entities since January 2025. Requires tracking all third-party libraries including open source. Fines reach 2% of global turnover for non-compliance.
HIPAA
Healthcare organizations must manage software supply chain risks for patient data systems. DerScanner documents which components are in use and their vulnerability status for audit assessments.
PCI DSS 4.0.1
Fully mandatory since March 2025. Requires inventories of all software components in custom code (Requirement 6.3.2). DerScanner generates the SBOM that satisfies this requirement.
SOC 2 Type II
Requires vendor risk and third-party component controls. DerScanner's package health scoring and SBOM generation provide the artifact trail SOC 2 audits demand each year.
NIS2 Directive
EU cybersecurity law for essential and important entities. Member states transposed NIS2 into national law in October 2024. Requires supply chain security and vulnerability handling – SBOMs are the practical way to evidence both.
Approved by industry leaders
The Static Application Security Testing Landscape,
Q2 2023
The Software Composition Analysis Landscape
Q2 2024
The Static Application Security Testing Solutions Landscape
Q2 2025
Why your team needs DerScanner SCA?
Modern software relies on open-source and third-party components. This requires visibility into what enters codebase, carried vulnerabilities, and whether it meets licensing and governance requirements or not.
DerScanner SCA continuously scans dependencies, prioritizes findings, speeds up remediation, enforces compliance policies, and produces audit-ready SBOMs. That's how you shift supply chain security left with dependency management made easy.
DevSecOps Teams
Ship code fast without letting vulnerable dependencies slip into production. No manual security gates that slow down CI/CD and frustrate developers.
Security Engineers
Gain visibility into the software supply chain and separate critical third-party risks from noise, especially when facing modern attacks like malicious packages and registry compromises.
Compliance & Legal Teams
Be sure that every open-source component meets licensing requirements and prove regulatory adherence to auditors, without manually tracking hundreds of dependencies across spreadsheets.
Frequently Asked Questions
Make Your Applications
Secure Today
Sign up for a personalized demo to see
how DerScanner can meet your Application Security needs
