BlogOpen a Ticket
Guides
Start typing to search…

SCA overview

What is Invicti SCA?

Invicti SCA (Software Composition Analysis) identifies and catalogs open-source components used in your applications, then checks them against vulnerability databases to find known security risks. It scans both direct and transitive dependencies, tracing risks through the full dependency chain so that vulnerabilities buried multiple layers deep aren't missed.

How it works

Invicti SCA scans your repositories to detect known vulnerabilities (CVEs) in open-source libraries and third-party dependencies. The scanning process includes:

  • Dependency discovery: identifies all direct and transitive dependencies in your project.
  • Vulnerability matching: compares discovered components against databases such as the NVD and GitHub Security Advisories.
  • License analysis: flags risky open-source licenses (such as copyleft or GPL variants) that could create compliance issues.
  • SBOM generation: produces Software Bills of Materials in industry-standard CycloneDX and SPDX formats.

What it can discover

Invicti SCA detects risks across the following categories:

CategoryExamples
Known vulnerabilities (CVEs)Security flaws in open-source libraries, outdated packages with published exploits
Transitive dependency risksVulnerabilities in indirect dependencies inherited through the dependency chain
License risksCopyleft licenses, GPL variants, and other licenses that may conflict with your organization's policies
Outdated componentsLibraries and frameworks that are no longer maintained or have fallen behind on security patches

Proof-based validation

When a CVE flagged by SCA is detected as reachable and exploitable, Invicti can use proof-based scanning (via its DAST engine) to safely demonstrate that an attack is possible. This correlation between static dependency analysis and dynamic runtime testing helps teams prioritize the vulnerabilities that pose real risk.

Invicti SCA editions

For Invicti ASPM, supported third-party SCA tools include Snyk, Mend, Dependabot, and others. See Third-party scanners overview for the full list.

Updated about 3 hours ago