Skip to content

SCA (Software Composition Analysis)

Available in Enterprise version

SCA (Software Composition Analysis) performs dependency scanning to identify vulnerabilities in third-party components.

Compatibility Note: Ensure your analyzer supports CycloneDX report format.

Configuring SCA for Your Project

SCA runs on agent resources. The analyzer generates reports after executing scripts defined in your .yaml file.

To integrate SCA:
1. Select and configure a composition analyzer for your project.
2. Specify the CycloneDX report path in artifacts:reports with dependency_scanning type.
- Without explicit type, reports default to SAST classification.
- For multiple reports, list each path separately. 

stages:  
  - test  

test:  
  stage: test  
  image: alpine:latest  
  scripts:  
    # SCA tool command generating bom.json report  
  artifacts:  
    reports:  
      dependency_scanning:  
        paths:  
          - bom.json

For detailed .yaml configuration, see GitFlic CI/CD Documentation.

How It Works

SCA categorizes vulnerabilities into 5 severity levels:
1. Critical
2. High
3. Medium
4. Low
5. Undefined

SCA Severity Levels

Viewing Results

  • Navigate to Security > SCA to filter vulnerabilities by severity/status.
    SCA Dashboard
  • Click any vulnerability to view:
  • Affected file, commit, and line number.
  • Detailed description and remediation steps.
    Vulnerability Details

Automatic translation!

This page has been automatically translated. The text may contain inaccuracies