SCA
Definition
Software Composition Analysis (SCA) is a process used to identify and manage open-source components within a software project. It involves scanning the codebase to detect third-party libraries, frameworks, and dependencies, assessing them for known vulnerabilities, license compliance, and version updates. SCA helps organizations mitigate risks associated with open-source software by providing visibility into the components used and ensuring they are secure and compliant with organizational policies.
Secure Settings Example
# Example of a secure SCA configuration in a CI/CD pipeline
version: '2.1'
jobs:
scan_dependencies:
docker:
- image: circleci/python:3.8
steps:
- checkout
- run:
name: Install SCA Tool
command: pip install safety
- run:
name: Scan for Vulnerabilities
command: safety check --full-report
Insecure Settings Example
# Example of an insecure SCA configuration
version: '2.1'
jobs:
scan_dependencies:
docker:
- image: circleci/python:3.8
steps:
- checkout
- run:
name: Install Dependencies
command: pip install -r requirements.txt
# Missing SCA tool installation and vulnerability scanning step