Package: Invicti AppSec Core (on-demand), Invicti AppSec Enterprise (on-premise, on-demand)
SCA overview
What is Invicti SCA?
Invicti SCA (Software Composition Analysis) identifies and catalogs open-source components used in your applications, then checks them against vulnerability databases to find known security risks. It scans both direct and transitive dependencies, tracing risks through the full dependency chain so that vulnerabilities buried multiple layers deep aren't missed.
For Invicti AppSec Core, Invicti SCA is pre-activated and ready to use. No manual setup or integration is required.
How it works
Invicti SCA scans your repositories to detect known vulnerabilities (CVEs) in open-source libraries and third-party dependencies. The scanning process includes:
- Dependency discovery: identifies all direct and transitive dependencies in your project.
- Vulnerability matching:compares discovered components against databases such as the NVD and GitHub Security Advisories.
- License analysis: flags risky open-source licenses (such as copyleft or GPL variants) that could create compliance issues.
- SBOM generation: produces Software Bills of Materials in industry-standard CycloneDX and SPDX formats.
What it can discover
Invicti SCA detects risks across the following categories:
| Category | Examples |
|---|---|
| Known vulnerabilities (CVEs) | Security flaws in open-source libraries, outdated packages with published exploits |
| Transitive dependency risks | Vulnerabilities in indirect dependencies inherited through the dependency chain |
| License risks | Copyleft licenses, GPL variants, and other licenses that may conflict with your organization's policies |
| Outdated components | Libraries and frameworks that are no longer maintained or have fallen behind on security patches |
Proof-based validation
When a CVE flagged by SCA is detected as reachable and exploitable, Invicti can use proof-based scanning (via its DAST engine) to safely demonstrate that an attack is possible. This correlation between static dependency analysis and dynamic runtime testing helps teams prioritize the vulnerabilities that pose real risk.
Invicti SCA editions
Invicti AppSec supports two editions of Invicti SCA:
| Edition | Package | Activation |
|---|---|---|
| Invicti SCA | AppSec Core | Pre-activated, no setup required |
| Third-party SCA tools | AppSec Enterprise | Requires manual activation under Integrations |
For AppSec Enterprise, supported third-party SCA tools include Snyk, Mend, Dependabot, and others. See Third-party scanners overview for the full list.
Need help?
Invicti Support team is ready to provide you with technical help. Go to Help Center