Configure Software Composition Analysis (SCA) scanning to identify known security vulnerabilities, license compliance issues, and outdated components in your project dependencies and third-party libraries. SCA scanning analyzes project dependencies, package manifests, and software bills of materials to detect risks in open source and third-party components. Before you begin, ensure your projects have dependency files accessible and the necessary permissions to configure security scanning tools.
Implicit and explicit SCA scanning
CloudBees Unify supports two approaches for SCA scanning: implicit scanning through application security posture management (ASPM) and explicit scanning through workflow actions.
Implicit scanning automatically analyzes the dependencies and packages used in your source code when components are created or code is committed. Explicit scanning runs SCA actions that you configure directly in your workflows, giving you control over scan timing and parameters. You can use either approach, or both together.
To prepare for SCA scanning:
-
Identify your project dependencies and package management systems:
-
Ensure dependency files, such as
package.json,pom.xml,requirements.txt,Gemfile, orgo.mod, are available for analysis. -
Verify your build process generates complete dependency manifests that reflect actual project dependencies.
-
Consider dependency resolution timing to capture all transitive dependencies accurately.
-
-
Understand SCA scanning requirements:
-
SCA tools need access to project source code and dependency manifests during the build process.
-
Analysis works best when integrated early in the development lifecycle to catch issues before they reach production.
-
Different package managers may require specific configuration or build steps for accurate dependency detection.
-
SCA scanning is most effective when integrated into your continuous integration pipeline immediately after dependency resolution.
Configure implicit SCA scanning
Implicit SCA scanning integrates with ASPM to automatically analyze the dependencies and packages used in your source code across your application portfolio.
| You must have ASPM enabled for your organization and the Manage security tools permission to configure implicit scanning. |
To configure implicit SCA scanning:
-
Navigate to in your organization.
-
Filter the available tools by SCA category, or search for specific scanner names.
-
Select and activate your chosen SCA scanner by selecting the toggle switch:
-
Black Duck SCA: Open source security and license compliance analysis (requires configuration).
-
Snyk SCA: Dependency analysis with detailed vulnerability information.
-
-
Configure scanner-specific settings if required. For tool configuration details, refer to Configure security tools.
Once configured, implicit scanning automatically analyzes dependencies when you create components or commit changes to linked repositories.
Configure explicit workflow SCA scanning
SCA scanning requires explicit workflow configuration with access to project source code and dependency files.
To configure SCA scanning in your workflows:
-
Add SCA scanning actions to your workflow YAML file in appropriate job steps. Available SCA scanners include:
-
Black Duck SCA: Comprehensive open source security and license compliance analysis with extensive vulnerability database coverage.
-
Mend SCA: Software composition analysis with focus on dependency management, license compliance, and automated remediation.
-
Snyk SCA: Developer-friendly dependency analysis with detailed vulnerability information and automated fix suggestions.
-
-
Configure scanner authentication and project access:
-
Create the required secrets in your CloudBees Unify organization or component settings for API keys, tokens, and project identifiers.
-
Set up access to dependency files ensuring scanners can read package manifests and lock files.
-
Configure project-specific parameters such as project names, versions, and organizational contexts.
Common authentication patterns include:
-
API key authentication: All SCA scanners require API tokens stored as secrets.
-
Project identification: Many scanners require project names, versions, or unique identifiers.
-
Server URL configuration: Enterprise SCA tools often require custom server endpoints.
-
-
-
Customize scan parameters for your projects:
-
Define dependency scanning scope and vulnerability severity thresholds appropriate for your security requirements.
-
Configure license compliance policies and approval workflows based on organizational guidelines.
-
Set up automated remediation triggers and dependency update recommendations to streamline vulnerability resolution.
Example SCA scanning configuration:
- name: Scan with Snyk SCA uses: https://github.com/cloudbees-io/snyk-sca-scan-dependency@v1 with: orgname: "your_snyk_organization" token: ${{ secrets.SNYK_SECRET }} language: "javascript"
-
| SCA scanning performance depends on dependency resolution speed and project complexity. Consider caching dependency installations to optimize scan times. |
Manage dependency analysis and project structure
SCA scanning requires careful consideration of project structure and dependency management practices to ensure accurate and comprehensive analysis.
To optimize SCA scanning effectiveness:
-
Structure your projects for effective dependency analysis:
-
Ensure all dependency files are committed to your repository and accessible during builds.
-
Use consistent dependency management practices across your development team.
-
Maintain up-to-date lock files, such as
package-lock.jsonoryarn.lock, for reproducible dependency resolution.
-
-
Configure appropriate scanning timing within your build pipeline:
-
Schedule SCA scans after dependency installation but before application deployment.
-
Use dependency caching strategies to balance scan thoroughness with pipeline performance.
-
Consider scanning both development and production dependency sets when applicable.
-
-
Handle scan results and dependency management decisions:
-
Define vulnerability severity thresholds that determine acceptable risk levels for your projects.
-
Establish license compliance policies that align with your organization’s legal and business requirements.
-
Implement dependency update workflows that balance security improvements with stability requirements.
-
Review and manage SCA findings
SCA findings focus on third-party dependencies and require specialized approaches for effective vulnerability management and license compliance.
To review SCA findings:
-
Access scan results through the CloudBees Unify Security Center:
-
Navigate to in your organization.
-
Filter findings by scanner type and dependency-specific vulnerability categories.
-
-
Understand SCA-specific finding types and prioritization:
-
Known vulnerabilities in direct dependencies that your project explicitly declares.
-
Transitive dependency vulnerabilities introduced by your direct dependencies.
-
License compliance issues and policy violations based on organizational requirements.
-
Outdated dependencies that have newer versions available with security improvements.
-
-
Coordinate with development teams for effective dependency management:
-
Share findings with development teams for dependency updates and version upgrades.
-
Prioritize remediation based on vulnerability severity, exploit availability, and dependency usage patterns.
-
Track dependency update progress and validate that updates resolve identified vulnerabilities.
-
Establish processes for ongoing dependency monitoring and proactive vulnerability management.
-
For detailed guidance on findings management, refer to Triage security findings.