Skip to Content
SCA & DependenciesSCA Overview

SCA Overview

Software Composition Analysis (SCA) helps you identify vulnerabilities, license issues, and outdated packages in your third-party dependencies.

Getting Started with SCA

Navigate to Dashboard → SCA to access the SCA dashboard.

Running an SCA Scan

SCA scanning is included automatically in Deep Scans via the Trivy scanner. You can also trigger a standalone SCA scan:

  1. Go to the SCA page
  2. Select a repository from the dropdown
  3. Click Scan to trigger a new analysis

SCA Dashboard

The SCA page has six tabs:

Overview

  • Vulnerability Summary — Total, Critical, High, Medium, Low counts
  • Security Score — 0-100 rating of your dependency security
  • License Compliance Score — 0-100 rating of license cleanliness
  • Overall Health Score — Combined assessment

Vulnerabilities

A table of all dependency vulnerabilities:

FieldDescription
TitleCVE or vulnerability description
SeverityCritical, High, Medium, Low
PackageAffected dependency name and version
File PathWhich manifest file contains this dependency
Risk ScoreComposite score (0-100)
CVSS ScoreStandardized severity rating
Fix AvailableWhether a patched version exists

Dependencies

Complete list of your project’s dependencies:

  • Package name and current version
  • Latest version available
  • Outdated indicator
  • License type
  • Package manager (npm, pip, etc.)
  • Vulnerability count

Licenses

See the full license breakdown:

  • Compliance score — Percentage of clean licenses
  • Total packages analyzed
  • Violations — Packages with incompatible licenses
  • Warnings — Packages with copyleft or restrictive licenses
  • Unknown — Packages with undetectable licenses

SBOM

Software Bill of Materials — see SBOM Export for details.

Settings

Per-repository SCA configuration:

  • Exclude paths — Skip specific directories or file types
  • Jira integration — Auto-create tickets for findings above a severity threshold
  • Email notifications — Send alerts on new vulnerabilities
  • Schedule — Set up recurring SCA scans (cron expression)

Upgrade Commands

When outdated vulnerable packages are found, CodeStax generates the appropriate upgrade command for your package manager:

# npm
npm install package-name@latest
 
# yarn
yarn upgrade package-name@latest
 
# pip
pip install --upgrade package-name
 
# poetry
poetry update package-name
 
# maven
# Update version in pom.xml to X.Y.Z
 
# cargo
cargo update -p package-name
 
# go
go get package-name@latest

AI-Powered Suggestions

CodeStax can suggest alternative packages when a dependency has:

  • Unpatched critical vulnerabilities
  • Abandoned maintenance (no updates in 2+ years)
  • License incompatibilities

These suggestions compare alternatives by popularity, security history, and API compatibility.

Security CenterDependency Management