About SCA upload scans
Veracode Software Composition Analysis (SCA) helps you build an inventory of your third-party components, including open-source libraries and commercial code, to identify vulnerabilities. The Veracode Platform analyzes both your first-party source code, using Static Analysis, and third-party libraries, using SCA, in single Upload and Scan operation. This gives your teams visibility across the entire application portfolio. You can access SCA results after your static prescan is complete.
To scan your code early and frequently in your Software Development Lifecycle (SDLC), we recommend you use Veracode SCA agent-based scanning. Agent-based scans provide additional features, such as dependency mapping, vulnerable methods, and automated pull requests.
Requirements
To view SCA results, you must have the Executive, Security Lead, or Administrator role.
Access SCA upload scans
To use Veracode SCA upload scans in the Veracode Platform, select Scans & Analysis > Software Composition Analysis from the top menu. You can also navigate to SCA from the left navigation menu to view SCA in the context of an application.
Review SCA scan results
Depending on your role, you can:
- View a list of vulnerabilities from applications in your portfolio to view which applications are passing or failing your security policy.
- View which of your components are passing or failing the security requirements specified in the SCA policy rules, and the follow the provided remediation guidance to resolve vulnerabilities and reduce your application security risk.
Detailed composition information is organized as follows:
To view findings in CSV format, select Data Exports and export your Veracode SCA results. This report contains details about all components across all of your applications in your portfolio.
In the report, you might see duplicate vulnerabilities if the same component is found in multiple locations within an application.
The Customizable Report contains Veracode SCA findings for individual applications in PDF format.