Software Composition Analysis - SCA
Software Composition Analysis (SCA) is a security testing practice that identifies vulnerabilities in open-source dependencies and third-party libraries used in your applications. It ensures that your software is free from known risks, enabling you to manage the security and compliance of external components effectively.
With Harness Security Testing Orchestration (STO), you can seamlessly perform SCA using a wide range of integrated scanners. STO also applies its own features, such as results normalization, deduplication of findings from various scanners, and formatting results to make them actionable.
Set up SCA with Harness STO
You can use any of the integrated scanners that perform SCA scanning, or you can leverage the Harness STO Built-in Scanner workflow. The Built-in Scanner step enables you to set up scans without requiring paid licenses or complex configurations. Currently, the Built-in Scanner uses OWASP Dependency Check and OSV. Alternatively, you can select any of the supported scanners for detailed configuration steps.
Supported Scanners for SCA
Below is the list of supported SCA scanners in Harness STO
If the scanner you use for SCA is not listed, you can explore additional scanners that are compatible with the Custom Scan step. If the Custom Scan step does not support the scanner you need, you can use the Custom Ingestion step to ingest and process your scan results.
Next steps
After running a security scan, you can take the following actions:
- View Scan Results: See the security scan results in the pipeline execution. View scan results.
- Remediate Issues with AI: Use AI-based suggestions to fix identified vulnerabilities. Use AI to fix security issues.
- Exempt issues: Manage and exempt specific issues based on requirements. Exemption workflows
- Enforce Policies: Apply OPA policies for control and governance. Enforce OPA policies.