This integration is configured through the Invicti ASPM product.
SCA overview
What is SCA?
Software Composition Analysis (SCA) identifies and catalogs open-source components used in your applications, then checks them against vulnerability databases to find known security risks. It scans both direct and transitive dependencies, tracing risks through the full dependency chain so that vulnerabilities buried multiple layers deep are not missed.
Invicti AppSec Core includes a preconfigured Invicti SCA scanner that is automatically activated with your package. The integrations on this page are for teams using Invicti ASPM who want to connect their own SCA tools instead. See AppSec Core scanners overview for details on the built-in scanner.
How it works
SCA scans your repositories to detect known vulnerabilities in open-source libraries and third-party dependencies. The scanning process includes:
- Dependency discovery — identifies all direct and transitive dependencies in your project.
- Vulnerability matching — compares discovered components against databases such as the NVD and GitHub Security Advisories.
- License analysis — flags risky open-source licenses (such as copyleft or GPL variants) that could create compliance issues.
- SBOM generation — produces Software Bills of Materials in industry-standard CycloneDX and SPDX formats.
What it can discover
SCA detects risks across the following categories:
| Category | Examples |
|---|---|
| Known vulnerabilities (CVEs) | Security flaws in open-source libraries, outdated packages with published exploits |
| Transitive dependency risks | Vulnerabilities in indirect dependencies inherited through the dependency chain |
| License risks | Copyleft licenses, GPL variants, and other licenses that may conflict with your organization's policies |
| Outdated components | Libraries and frameworks that are no longer maintained or have fallen behind on security patches |
Supported SCA scanners
The following SCA integrations are available through Invicti ASPM:
| Scanner | Type | Authentication |
|---|---|---|
| Snyk SCA | Connection | API token |
| Mend SCA | Connection | Basic auth |
| JFrog Xray | Connection | Basic auth |
| Black Duck | Connection | API token |
| Checkmarx One SCA | Connection | API token |
| Checkmarx SCA Cloud | Connection | API token |
| Veracode SCA | Connection | API ID + key |
| Polaris fAST SCA | Connection | API token |
| Semgrep Enterprise SCA | Connection | API token |
| Contrast SCA | Connection | API token |
| Sonatype Nexus Lifecycle | Connection | Basic auth |
| Dependency-Track | Connection | API token |
| Dependency-Check | Docker | — |
| OSV | Docker | — |
| OSV-Scanner | Docker | — |
| Nancy SCA | Docker | — |
| Dependabot | GitHub integration | GitHub PAT/App |
| SBOM Radar | Connection | API token |
Choosing an SCA scanner
| If you need… | Consider |
|---|---|
| Enterprise-grade SCA with broad language support | Snyk, Mend, Black Duck, Veracode SCA, Checkmarx One |
| SaaS-only, no infrastructure | Snyk SCA, Checkmarx SCA Cloud, Semgrep Enterprise SCA |
| Open-source / no license cost | Dependency-Check, OSV, OSV-Scanner, Nancy SCA |
| Native GitHub integration | Dependabot |
| Artifact repository scanning | JFrog Xray, Sonatype Nexus Lifecycle |
| SBOM-first workflow | SBOM Radar, Dependency-Track |
Need help?
The Invicti Support team is ready to provide technical assistance. Go to Help Center