<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom"><channel><title>Sca on Software Factory</title><link>/tags/sca/</link><description>Recent content in Sca on Software Factory</description><generator>Hugo</generator><language>en</language><atom:link href="/tags/sca/index.xml" rel="self" type="application/rss+xml"/><item><title>Secure</title><link>/use/tools/gitlab/secure/</link><pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate><guid>/use/tools/gitlab/secure/</guid><description>&lt;p&gt;&lt;img src="../img/gitlab-security-header.png" alt="GitLab secure"&gt;&lt;/p&gt;
&lt;p&gt;GitLab Ultimate embeds a suite of security scanners directly into your CI/CD pipelines.
They cover two complementary approaches: &lt;strong&gt;static analysis&lt;/strong&gt; (source code, dependencies, secrets)
and &lt;strong&gt;dynamic analysis&lt;/strong&gt; (running application).
All results are centralised in a single &lt;a href="/use/tools/gitlab/secure/vulnerability-report/"&gt;vulnerability report&lt;/a&gt;
 within GitLab.&lt;/p&gt;

 &lt;link rel="stylesheet" href="/css/vendors/admonitions.css"&gt;
 &lt;div class="admonition tip"&gt;
 &lt;div class="admonition-header"&gt;&lt;svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 384 512"&gt;&lt;path d="M272 384c9.6-31.9 29.5-59.1 49.2-86.2c0 0 0 0 0 0c5.2-7.1 10.4-14.2 15.4-21.4c19.8-28.5 31.4-63 31.4-100.3C368 78.8 289.2 0 192 0S16 78.8 16 176c0 37.3 11.6 71.9 31.4 100.3c5 7.2 10.2 14.3 15.4 21.4c0 0 0 0 0 0c19.8 27.1 39.7 54.4 49.2 86.2l160 0zM192 512c44.2 0 80-35.8 80-80l0-16-160 0 0 16c0 44.2 35.8 80 80 80zM112 176c0 8.8-7.2 16-16 16s-16-7.2-16-16c0-61.9 50.1-112 112-112c8.8 0 16 7.2 16 16s-7.2 16-16 16c-44.2 0-80 35.8-80 80z"/&gt;&lt;/svg&gt;
 &lt;span&gt;Tip&lt;/span&gt;
 &lt;/div&gt;
 &lt;div class="admonition-content"&gt;
 &lt;p&gt;Not familiar with the terminology?
See &lt;a href="/get-started/glossary/#security"&gt;SAST, DAST, SCA and other security terms&lt;/a&gt;
 in the glossary.&lt;/p&gt;</description></item><item><title>Black Duck</title><link>/use/tools/blackduck-sca/</link><pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate><guid>/use/tools/blackduck-sca/</guid><description>&lt;div style="display: flex; align-items: flex-start; gap: 1.5rem; margin-bottom: 1rem; max-width: 80%;"&gt;
 &lt;img src="/logo/icon_Black_Duck_SCA.svg" alt="Black Duck"
 width="150"
 style="flex-shrink: 0;"&gt;
 &lt;div&gt;&lt;p&gt;Black Duck is the Software Factory&amp;rsquo;s most complete &lt;strong&gt;Software Composition Analysis&lt;/strong&gt;
(&lt;a href="/use/practices/secure/software-composition-analysis/"&gt;SCA&lt;/a&gt;
) solution.
It combines four detection techniques to build a complete dependency inventory — including
dependencies that other tools miss, such as copy-pasted open source code and components
embedded in compiled binaries.&lt;/p&gt;
&lt;p&gt;This process helps in identifying known security vulnerabilities (CVEs/BDSAs), license
compliance violations, operational risks, and generating a comprehensive Bill of Materials (BOM)
for your applications.&lt;/p&gt;</description></item><item><title>Black Duck SCA</title><link>/use/howto/secure/blackduck-reports/</link><pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate><guid>/use/howto/secure/blackduck-reports/</guid><description>&lt;p&gt;This guide outlines practical, step-by-step instructions for integrating Black Duck SCA into your
workflow, from initial project setup to CI/CD integration, advanced manual operations, and local
IDE scanning.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Prerequisites:&lt;/strong&gt; You must have Maintainer permissions for your GitLab repository and access to
the Black Duck server.&lt;/p&gt;
&lt;h2 id="how-to-prepare-your-black-duck-project"&gt;How to Prepare Your Black Duck Project&lt;a class="td-heading-self-link" href="#how-to-prepare-your-black-duck-project" aria-label="Heading self-link"&gt;&lt;/a&gt;&lt;/h2&gt;
&lt;p&gt;Before analyzing your source code, you must provision a project space.&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;Log in to your account on the Black Duck server.&lt;/li&gt;
&lt;li&gt;In the top-right corner of the dashboard, click &lt;strong&gt;+ Create Project&lt;/strong&gt;.&lt;/li&gt;
&lt;li&gt;Enter your &lt;strong&gt;Project Name&lt;/strong&gt;.&lt;/li&gt;
&lt;li&gt;Enter an initial &lt;strong&gt;Version Name&lt;/strong&gt; (e.g., &lt;code&gt;main&lt;/code&gt;, &lt;code&gt;v1.2.0&lt;/code&gt;).&lt;/li&gt;
&lt;li&gt;Fill out the desired fields (like Tier or Phase) and click
&lt;strong&gt;Save&lt;/strong&gt;.&lt;/li&gt;
&lt;li&gt;Ensure your user account (or service account) has &lt;strong&gt;Project Code Scanner&lt;/strong&gt; permissions.&lt;/li&gt;
&lt;/ol&gt;
&lt;h2 id="how-to-generate-and-secure-an-authentication-token"&gt;How to Generate and Secure an Authentication Token&lt;a class="td-heading-self-link" href="#how-to-generate-and-secure-an-authentication-token" aria-label="Heading self-link"&gt;&lt;/a&gt;&lt;/h2&gt;
&lt;p&gt;Your tools need access to a token to communicate with the server. &lt;strong&gt;Never hardcode this token in
your source code.&lt;/strong&gt;&lt;/p&gt;</description></item><item><title>How to Enable GitLab Container Scanning</title><link>/use/howto/secure/gitlab-container-scanning/</link><pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate><guid>/use/howto/secure/gitlab-container-scanning/</guid><description>&lt;link rel="stylesheet" href="/css/vendors/admonitions.css"&gt;
 &lt;div class="admonition note"&gt;
 &lt;div class="admonition-header"&gt;&lt;svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 576 512"&gt;&lt;path d="M0 64C0 28.7 28.7 0 64 0L224 0l0 128c0 17.7 14.3 32 32 32l128 0 0 125.7-86.8 86.8c-10.3 10.3-17.5 23.1-21 37.2l-18.7 74.9c-2.3 9.2-1.8 18.8 1.3 27.5L64 512c-35.3 0-64-28.7-64-64L0 64zm384 64l-128 0L256 0 384 128zM549.8 235.7l14.4 14.4c15.6 15.6 15.6 40.9 0 56.6l-29.4 29.4-71-71 29.4-29.4c15.6-15.6 40.9-15.6 56.6 0zM311.9 417L441.1 287.8l71 71L382.9 487.9c-4.1 4.1-9.2 7-14.9 8.4l-60.1 15c-5.5 1.4-11.2-.2-15.2-4.2s-5.6-9.7-4.2-15.2l15-60.1c1.4-5.6 4.3-10.8 8.4-14.9z"/&gt;&lt;/svg&gt;
 &lt;span&gt;For more information, see &lt;a href="/use/practices/secure/software-composition-analysis/"&gt;SCA practice&lt;/a&gt;&lt;/span&gt;
 &lt;/div&gt;
 &lt;div class="admonition-content"&gt;
 &lt;p&gt;.&lt;/p&gt;
 &lt;/div&gt;
 &lt;/div&gt;&lt;h2 id="configure-your-pipeline"&gt;Configure your pipeline&lt;a class="td-heading-self-link" href="#configure-your-pipeline" aria-label="Heading self-link"&gt;&lt;/a&gt;&lt;/h2&gt;
&lt;p&gt;Add the following to your &lt;code&gt;.gitlab-ci.yml&lt;/code&gt; and push to your repository:&lt;/p&gt;</description></item><item><title>How to Enable GitLab Dependency Scanning</title><link>/use/howto/secure/gitlab-dependency-scanning/</link><pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate><guid>/use/howto/secure/gitlab-dependency-scanning/</guid><description>&lt;link rel="stylesheet" href="/css/vendors/admonitions.css"&gt;
 &lt;div class="admonition note"&gt;
 &lt;div class="admonition-header"&gt;&lt;svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 576 512"&gt;&lt;path d="M0 64C0 28.7 28.7 0 64 0L224 0l0 128c0 17.7 14.3 32 32 32l128 0 0 125.7-86.8 86.8c-10.3 10.3-17.5 23.1-21 37.2l-18.7 74.9c-2.3 9.2-1.8 18.8 1.3 27.5L64 512c-35.3 0-64-28.7-64-64L0 64zm384 64l-128 0L256 0 384 128zM549.8 235.7l14.4 14.4c15.6 15.6 15.6 40.9 0 56.6l-29.4 29.4-71-71 29.4-29.4c15.6-15.6 40.9-15.6 56.6 0zM311.9 417L441.1 287.8l71 71L382.9 487.9c-4.1 4.1-9.2 7-14.9 8.4l-60.1 15c-5.5 1.4-11.2-.2-15.2-4.2s-5.6-9.7-4.2-15.2l15-60.1c1.4-5.6 4.3-10.8 8.4-14.9z"/&gt;&lt;/svg&gt;
 &lt;span&gt;For more information, see &lt;a href="/use/practices/secure/software-composition-analysis/"&gt;SCA practice&lt;/a&gt;&lt;/span&gt;
 &lt;/div&gt;
 &lt;div class="admonition-content"&gt;
 &lt;p&gt;.&lt;/p&gt;
 &lt;/div&gt;
 &lt;/div&gt;&lt;h2 id="add-to-your-pipeline"&gt;Add to your pipeline&lt;a class="td-heading-self-link" href="#add-to-your-pipeline" aria-label="Heading self-link"&gt;&lt;/a&gt;&lt;/h2&gt;
&lt;p&gt;Add the following to your &lt;code&gt;.gitlab-ci.yml&lt;/code&gt; and push to your repository:&lt;/p&gt;</description></item><item><title>Software Composition Analysis (SCA)</title><link>/use/tools/gitlab/secure/sca/</link><pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate><guid>/use/tools/gitlab/secure/sca/</guid><description>&lt;div style="display: flex; align-items: flex-start; gap: 1.5rem; margin-bottom: 1rem; max-width: 80%;"&gt;
 &lt;img src="/logo/gitlab.svg" alt="GitLab logo"
 width="100"
 style="flex-shrink: 0;"&gt;
 &lt;div&gt;GitLab provides Software Composition Analysis capabilities through two CI-integrated tools:
&lt;strong&gt;Dependency Scanning&lt;/strong&gt; and &lt;strong&gt;Container Scanning&lt;/strong&gt;.&lt;br&gt;
Both require GitLab &lt;strong&gt;Ultimate&lt;/strong&gt;, which is included in the Software Factory at no
additional cost.&lt;/div&gt;
&lt;/div&gt;

&lt;p&gt;For background on SCA concepts, see the &lt;a href="/use/practices/secure/software-composition-analysis/"&gt;SCA practice&lt;/a&gt;
 page.&lt;/p&gt;
&lt;h2 id="inventory-coverage"&gt;Inventory Coverage&lt;a class="td-heading-self-link" href="#inventory-coverage" aria-label="Heading self-link"&gt;&lt;/a&gt;&lt;/h2&gt;
&lt;p&gt;The table below maps GitLab SCA&amp;rsquo;s capabilities to the
&lt;a href="/use/practices/secure/software-composition-analysis/#analysis-approaches"&gt;analysis approaches&lt;/a&gt;
 defined in the SCA practice.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;&lt;a href="https://docs.gitlab.com/ee/user/application_security/dependency_scanning/" class="external-link" target="_blank" rel="noopener noreferrer"&gt;Dependency Scanning&lt;/a&gt;
&lt;/strong&gt; parses language-specific lockfiles to build the dependency graph
and produces a &lt;a href="/use/practices/secure/software-composition-analysis/#source-analysis"&gt;Source SBOM&lt;/a&gt;
 in &lt;a href="https://cyclonedx.org/specification/overview/" class="external-link" target="_blank" rel="noopener noreferrer"&gt;CycloneDX&lt;/a&gt;
 format.
It currently relies on the &lt;strong&gt;Gemnasium-based analyzer&lt;/strong&gt;, which is deprecated by GitLab but
remains the only generally available option.
A newer SBOM-based analyzer is in development but not yet GA.
See &lt;a href="https://docs.gitlab.com/user/application_security/dependency_scanning/dependency_scanning_sbom/#supported-languages-and-files" class="external-link" target="_blank" rel="noopener noreferrer"&gt;Supported languages&lt;/a&gt;
 and &lt;a href="https://docs.gitlab.com/user/application_security/dependency_scanning/dependency_scanning_sbom/#supported-package-types" class="external-link" target="_blank" rel="noopener noreferrer"&gt;package types&lt;/a&gt;
 for the full list of supported ecosystems.&lt;/p&gt;</description></item><item><title>JFrog Xray</title><link>/use/tools/xray/</link><pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate><guid>/use/tools/xray/</guid><description>&lt;div style="display: flex; align-items: flex-start; gap: 1.5rem; margin-bottom: 1rem; max-width: 80%;"&gt;
 &lt;img src="/logo/xray-withname.svg" alt="JFrog Xray"
 width="150"
 style="flex-shrink: 0;"&gt;
 &lt;div&gt;JFrog Xray is part of the Software Factory&amp;rsquo;s &lt;strong&gt;Software Composition Analysis&lt;/strong&gt;
(&lt;a href="/use/practices/secure/software-composition-analysis/"&gt;SCA&lt;/a&gt;
) offering, available with the DevSecOps
package.
It can be used standalone via the JFrog CLI, or coupled with JFrog Artifactory for end-to-end
security and compliance management across your software supply chain.&lt;/div&gt;
&lt;/div&gt;

&lt;div class="admonition info"&gt;
 &lt;div class="admonition-header"&gt;&lt;svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 512 512"&gt;&lt;path d="M256 512A256 256 0 1 0 256 0a256 256 0 1 0 0 512zM216 336l24 0 0-64-24 0c-13.3 0-24-10.7-24-24s10.7-24 24-24l48 0c13.3 0 24 10.7 24 24l0 88 8 0c13.3 0 24 10.7 24 24s-10.7 24-24 24l-80 0c-13.3 0-24-10.7-24-24s10.7-24 24-24zm40-208a32 32 0 1 1 0 64 32 32 0 1 1 0-64z"/&gt;&lt;/svg&gt;
 &lt;span&gt;Info&lt;/span&gt;
 &lt;/div&gt;
 &lt;div class="admonition-content"&gt;
 &lt;p&gt;This page describes the tool independently of any platform-specific details.
For the service URL and other platform-specific configuration,
please refer to your &lt;a href="/get-started/platforms/"&gt;platform&amp;rsquo;s dedicated page&lt;/a&gt;
.&lt;/p&gt;</description></item></channel></rss>