What Do We Offer? SCA Service Scope
We treat the SCA engagement not as a mere "vulnerability scan" but as the holistic management of software supply chain security. Dependency inventory, vulnerability analysis, licence compliance checks and SBOM generation are delivered under one roof.
Dependency Inventory (SBOM)
All direct and transitive dependencies are identified. An SBOM is produced in CycloneDX or SPDX format, creating the software bill of materials. This inventory is the core input for audit, compliance and risk management.
CVE / Vulnerability Analysis
Components are matched against NVD, OSV, GitHub Advisory and commercial databases to detect known vulnerabilities. For each CVE, the CVSS score, exploitation status (EPSS), impact analysis and remediation recommendation are provided.
Licence Compliance Checks
Licences such as GPL, LGPL, MIT and Apache are identified and compared with corporate policies. Components carrying incompatibility risk are flagged; legal/commercial risk assessment is supported.
Version / EOL Tracking
The currency of the components used, their support status (End-of-Life) and comparison with the latest available versions are assessed. Outdated, no-longer-supported components are reported as risks.
Prioritisation (Triage)
Rather than treating all CVEs as equal, prioritisation is based on exploitability (EPSS), reachability, business impact and component criticality. Teams proceed in the right order.
CI/CD Integration Support
Teams wishing to integrate SCA into the development process receive guidance on pipeline design, threshold definitions and automated control mechanisms.