Ctrlk

SCA

Software Composition Analysis (SCA) identifies and assesses security risks hidden inside the open-source libraries, third-party packages, and external dependencies that your application is built on — before those risks reach production.

Modern applications draw heavily from open-source components. When any one of those components carries a known vulnerability — such as Log4Shell, OpenSSL, or a compromised GitHub Action — every application using it is exposed. SCA solves this by continuously scanning your dependency tree, flagging vulnerabilities with severity context, checking license compliance, and feeding results into the unified Delivery Shield security posture view.

OpsMx Delivery Shield is powered by leading open-source vulnerability scanners — Trivy and Grype — to give insights into the security posture of open-source and third-party libraries and dependencies. Developers and security teams can identify vulnerabilities and license issues across the software supply chain and boost AppSec.

How SCA Works in OpsMx Delivery Shield

When a scan is triggered — via a pipeline stage, scheduled scan, or ad hoc request — Delivery Shield:

  1. Discovers all open-source libraries, packages, and dependencies in the target — including transitive dependencies

  2. Scans using Trivy and Grype against multiple vulnerability intelligence databases

  3. Scores findings by severity (Critical, High, Medium, Low) using CVSS scoring

  4. Evaluates license compliance against your organization's policy

  5. Reports results across three locations in the dashboard — the Vulnerability Management page, the Artifact section of the DBOM page, and the View Open Security Issues page

  6. Calculates the overall security status of the image and application using Grype scan results

  7. Triggers AI-powered remediation suggestions or automated pull requests where configured

Delivery Shield also triggers periodic vulnerability scans on deployed images — not just at build time — ensuring your production environment stays continuously evaluated as new CVEs are published.

What SCA Scans

SCA in Delivery Shield provides comprehensive coverage across the ecosystem — container images, file systems, Git repositories, and Infrastructure as Code (IaC).

Scan Target
Description

Container Images

Scans all layers of a container image for vulnerable OS packages and application dependencies

Git Repositories

Scans source code repositories for open-source dependency vulnerabilities

File Systems

Scans build artifacts and file systems for dependency risks

Infrastructure as Code (IaC)

Identifies vulnerable dependencies and misconfigurations in IaC configurations

AI-Generated Code

Scans dependencies introduced by AI code generation platforms for known vulnerabilities

Key Capabilities

Automated Scanning in CI/CD

Delivery Shield integrates into CI/CD pipelines and automatically scans for vulnerabilities, enforcing compliance policies during development and build stages. Security checks prioritize and remediate issues on the basis of risk severity.

Continuous Deployed Image Monitoring

Beyond build-time scans, Delivery Shield also triggers periodic vulnerability scans on deployed images — so newly published CVEs are caught even on already-running workloads, without waiting for the next pipeline run.

License Compliance Enforcement

OpsMx Delivery Shield ensures that all open-source components comply with your organization's licensing policies, preventing legal complications. Automating license verification improves developer productivity and catches issues that may be missed by manual reviews.

Real-Time PR & Merge Gate Security

During pull requests, Delivery Shield provides real-time feedback helping reviewers identify potential security risks and ensuring only secure code is approved and merged. While merging code, Delivery Shield ensures that code being merged into the main branch meets your organization's security standards.

SBOM Generation & Import

SSD imports SBOMs generated by Trivy and analyzes them to identify supply chain security issues. SBOM outputs are available in CycloneDX and SPDX formats for compliance and audit submissions.

Policy-Based Deployment Blocking

Delivery Shield's SCA flags usage of vulnerable dependencies in real-time, preventing workflows from unknowingly executing malicious or vulnerable code. Combined with the Policy Engine (OPA), high-severity findings can automatically block a release from proceeding.

Viewing SCA Results

SCA scan results can be viewed in the following pages within Delivery Shield:

  • Vulnerability Management page — full findings list with severity, CVE ID, package, and fix version

  • Artifact section of the DBOM page — dependency and artifact-level risk tied to the delivery record

  • View Open Security Issues page — live issues requiring action, prioritized by risk

From any of these views, drill into individual findings to see the affected package, version, CVE details, CVSS score, and recommended fix version. Track remediation status across environments from the centralized view.

Remediation

When SCA vulnerabilities are detected, Delivery Shield provides:

  • Inline fix guidance per finding — recommended upgrade version with context

  • AI-powered remediation suggestions — alternative libraries where a fix version is unavailable

  • Automated pull requests — apply dependency upgrades directly in the repository

  • Prioritization by exploitability — focus on vulnerabilities that are reachable in your specific application, not just CVSS score alone

PreviousRescan & Trigger ScanNextSecrets

Last updated