> For the complete documentation index, see [llms.txt](https://docs.opsmx.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.opsmx.com/code-to-cloud-security-and-scanners/code-security/sca.md). # SCA Software Composition Analysis (SCA) identifies and assesses security risks hidden inside the **open-source libraries, third-party packages, and external dependencies** that your application is built on — before those risks reach production. Modern applications draw heavily from open-source components. When any one of those components carries a known vulnerability — such as Log4Shell, OpenSSL, or a compromised GitHub Action — every application using it is exposed. SCA solves this by continuously scanning your dependency tree, flagging vulnerabilities with severity context, checking license compliance, and feeding results into the unified Delivery Shield security posture view. OpsMx Delivery Shield is powered by leading open-source vulnerability scanners — Trivy and Grype — to give insights into the security posture of open-source and third-party libraries and dependencies. Developers and security teams can identify vulnerabilities and license issues across the software supply chain and boost AppSec. ## How SCA Works in OpsMx Delivery Shield When a scan is triggered — via a pipeline stage, scheduled scan, or ad hoc request — Delivery Shield: 1. **Discovers** all open-source libraries, packages, and dependencies in the target — including transitive dependencies 2. **Scans** using Trivy and Grype against multiple vulnerability intelligence databases 3. **Scores** findings by severity (Critical, High, Medium, Low) using CVSS scoring 4. **Evaluates** license compliance against your organization's policy 5. **Reports** results across three locations in the dashboard — the **Vulnerability Management page**, the **Artifact section of the DBOM page**, and the **View Open Security Issues page** 6. **Calculates** the overall security status of the image and application using Grype scan results 7. **Triggers** AI-powered remediation suggestions or automated pull requests where configured Delivery Shield also triggers periodic vulnerability scans on deployed images — not just at build time — ensuring your production environment stays continuously evaluated as new CVEs are published. ## What SCA Scans SCA in Delivery Shield provides comprehensive coverage across the ecosystem — container images, file systems, Git repositories, and Infrastructure as Code (IaC). | Scan Target | Description | | -------------------------------- | --------------------------------------------------------------------------------------------- | | **Container Images** | Scans all layers of a container image for vulnerable OS packages and application dependencies | | **Git Repositories** | Scans source code repositories for open-source dependency vulnerabilities | | **File Systems** | Scans build artifacts and file systems for dependency risks | | **Infrastructure as Code (IaC)** | Identifies vulnerable dependencies and misconfigurations in IaC configurations | | **AI-Generated Code** | Scans dependencies introduced by AI code generation platforms for known vulnerabilities | ## Key Capabilities **Automated Scanning in CI/CD** Delivery Shield integrates into CI/CD pipelines and automatically scans for vulnerabilities, enforcing compliance policies during development and build stages. Security checks prioritize and remediate issues on the basis of risk severity. **Continuous Deployed Image Monitoring** Beyond build-time scans, Delivery Shield also triggers periodic vulnerability scans on deployed images — so newly published CVEs are caught even on already-running workloads, without waiting for the next pipeline run. **License Compliance Enforcement** OpsMx Delivery Shield ensures that all open-source components comply with your organization's licensing policies, preventing legal complications. Automating license verification improves developer productivity and catches issues that may be missed by manual reviews. **Real-Time PR & Merge Gate Security** During pull requests, Delivery Shield provides real-time feedback helping reviewers identify potential security risks and ensuring only secure code is approved and merged. While merging code, Delivery Shield ensures that code being merged into the main branch meets your organization's security standards. **SBOM Generation & Import** SSD imports SBOMs generated by Trivy and analyzes them to identify supply chain security issues. SBOM outputs are available in **CycloneDX** and **SPDX** formats for compliance and audit submissions. **Policy-Based Deployment Blocking** Delivery Shield's SCA flags usage of vulnerable dependencies in real-time, preventing workflows from unknowingly executing malicious or vulnerable code. Combined with the Policy Engine (OPA), high-severity findings can automatically block a release from proceeding. ## Viewing SCA Results SCA scan results can be viewed in the following pages within Delivery Shield: * **Vulnerability Management page** — full findings list with severity, CVE ID, package, and fix version * **Artifact section of the DBOM page** — dependency and artifact-level risk tied to the delivery record * **View Open Security Issues page** — live issues requiring action, prioritized by risk From any of these views, drill into individual findings to see the affected package, version, CVE details, CVSS score, and recommended fix version. Track remediation status across environments from the centralized view. ## Remediation When SCA vulnerabilities are detected, Delivery Shield provides: * **Inline fix guidance** per finding — recommended upgrade version with context * **AI-powered remediation suggestions** — alternative libraries where a fix version is unavailable * **Automated pull requests** — apply dependency upgrades directly in the repository * **Prioritization by exploitability** — focus on vulnerabilities that are reachable in your specific application, not just CVSS score alone --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.opsmx.com/code-to-cloud-security-and-scanners/code-security/sca.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.