Overview
Software Composition Analysis (SCA) automatically detects third-party dependencies in your codebase and checks them against known security vulnerabilities (CVEs). Modern applications are built heavily on open-source packages. Codepure SCA parses your project’s lockfiles to map your entire dependency tree—both direct and transitive—and flags vulnerable versions before they are deployed to production.How the Engine Works
Codepure’s SCA is built for speed and precision, executing entirely through static lockfile analysis without requiring you to install local build tools or agents.- Discovery: The engine scans your repository for known package manager lockfiles and configuration files.
- Graphing: It parses the files locally to build a complete dependency graph, extracting exact versions.
- Index Matching: Dependencies are instantly matched against an in-memory index of the GitHub Advisory Database (containing over 23,000 active advisories).
- Reporting: Codepure generates a JSON-formatted Software Bill of Materials (SBOM) and a prioritized vulnerability report with exact remediation paths.
Supported Languages & Lockfiles
Codepure natively parses the following package manager files. For the most accurate results, ensure your repository contains the resolved lockfiles (e.g.,package-lock.json) rather than just the manifest (e.g., package.json).
| Language | Lockfiles Scanned |
|---|---|
| JavaScript / TypeScript | package-lock.json, yarn.lock, pnpm-lock.yaml, npm-shrinkwrap.json, bun.lock, deno.lock, libman.json |
| Java / Scala / Kotlin | gradle.lockfile, build.gradle, build.gradle.kts, pom.xml, ivy.xml, build.sbt, .jar, .war, .ear |
| .NET (C# / F#) | packages.lock.json, packages.config, app.csproj, app.deps.json, paket.lock |
| Python | requirements.txt, poetry.lock, Pipfile.lock, uv.lock, pdm.lock |
| Go | go.mod |
| PHP | composer.lock |
| Ruby | Gemfile.lock |
| Rust | Cargo.lock |
| Swift / Objective-C | Package.resolved, Podfile.lock |
| Dart / Flutter | pubspec.lock |
| Elixir | mix.lock |
| C / C++ | conan.lock |
| Clojure | deps.edn |
Software Bill of Materials (SBOM)
A Software Bill of Materials (SBOM) is an inventory of all the components that make up your software. Codepure automatically generates an SBOM for every successful scan.Why SBOMs Matter
- Incident Response: When a zero-day (like Log4j) drops, an SBOM lets you instantly search your infrastructure to see if you are affected.
- Supply Chain Security: Tracks component provenance and transitive relationships.
- Compliance: Meets regulatory requirements like Executive Order 14028.
What Codepure Extracts
For every package detected, the SBOM records:- Package Name and Version
- Ecosystem (e.g., npm, NuGet, Maven)
- Transitive relationships (what depends on what)
- Associated CVEs and Severity scores
Using Codepure SCA
1. Initiate a Scan
Navigate to your project dashboard and select the repository to scan:
2. Review Vulnerabilities
Once the scan completes, access the findings:
- Severity Ratings: Vulnerabilities are scored (Critical, High, Medium, Low) based on CVSS metrics.
- Remediation: Click into a specific finding to see the exact version you need to upgrade to in order to clear the CVE.
3. Download Your SBOM
Best Practices
- Commit Your Lockfiles: Always commit files like
package-lock.jsonorpoetry.lockto source control. Scanning an exact lockfile guarantees we analyze the exact code running in production, preventing “it works on my machine” security misses. - Scan PRs: Integrate Codepure into your CI/CD pipeline to block pull requests that introduce new Critical or High severity dependencies.
- Upgrade Incrementally: When updating heavily outdated packages, upgrade one major version at a time to prevent breaking changes in your application logic.