Software Composition Analysis (SCA)
Join the Preview!
Software Composition Analysis is in Preview.
Code Analysis is not available for the site.
Overview
Software Composition Analysis (SCA) scans open source libraries imported into repositories through package managers such as npm
for known vulnerabilities, and creates a catalog of libraries used across your repositories that identifies risky licenses, end-of-life libraries, and vulnerabilities to ensure a high quality, secure codebase.
SCA scans can be run directly through Datadog or in your CI pipelines using Code Analysis to detect library vulnerabilities before they reach production. Datadog also offers runtime detection through Datadog Application Security.
Set up Software Composition Analysis
SCA supports scanning for libraries in the following languages and technologies:
To get started, set up Software Composition Analysis on the Code Analysis page or see the Setup documentation.
Lockfiles
SCA scans libraries contained in your lockfiles. The following lockfiles are supported:
Package Manager | Lockfile |
---|
C# (.NET) | packages.lock.json |
Go (mod) | go.mod |
JVM (Gradle) | gradle.lockfile |
JVM (Maven) | pom.xml |
Node.js (npm) | package-lock.json |
Node.js (pnpm) | pnpm-lock.yaml |
Node.js (yarn) | yarn.lock |
PHP (composer) | composer.lock |
Python (pip) | requirements.txt , Pipfile.lock |
Python (poetry) | poetry.lock |
Ruby (bundler) | Gemfile.lock |
Integrate Software Composition Analysis into your software development lifecycle
CI providers
You can run SCA on any CI platform provider of your choice. See provider-specific documentation to set up SCA in your CI pipelines:
Search and filter results
Datadog Software Composition Analysis can find vulnerable libraries across the software development lifecycle (SDLC). Code Analysis summarizes results found by directly scanning your repositories. To view all vulnerabilities found in repositories and at runtime consolidated together, see
Application Security for more details.
After you configure your CI pipelines to run Datadog SCA, violations are summarized per repository on the Code Analysis Repositories page. Click on a repository to analyze Library Vulnerabilities and Library Catalog results from Software Composition Analysis.
- The Library Vulnerabilities tab contains the vulnerable library versions found by Datadog SCA.
- The Library Catalog tab contains all of the libraries (vulnerable or not) found by Datadog SCA.
To filter your results, use the facets to the left of the list or the search bar at the top. Results can be filtered by service or team facets. For more information about how results are linked to Datadog services and teams, see Getting Started with Code Analysis.
Every row represents a unique library and version combination. Each combination is associated with the specific commit and branch that is selected in the filters at the top of the page (by default, the latest commit on the default branch of the repository you selected).
Click on a library with a vulnerability to open a side panel that contains information about the scope of the violation and where it originated.
The content of the violation is shown in tabs:
- Full Description: A description of the vulnerability contained within this specific version of the library.
- Event: JSON metadata regarding the SCA violation event.
Further Reading
Additional helpful documentation, links, and articles: