Dependency and Supply Chain Security (SCA)
Protect your pipeline from vulnerable third-party packages using Software Composition Analysis, Dependabot, dependency review, and pinned actions.
The Supply Chain Risk
Modern applications are built mostly from third-party dependencies. A single vulnerable package deep in your dependency tree can compromise the whole app.
This is the software supply chain risk, and securing it is a core part of DevSecOps.
What is SCA?
Software Composition Analysis (SCA) scans your project's dependencies and compares them against databases of known vulnerabilities (CVEs).
Unlike SAST, which inspects your code, SCA focuses on the libraries you import.
- Detects known-vulnerable versions
- Flags risky or incompatible licenses
- Suggests safe upgrade versions
All lessons in this course
- Security Best Practices in CI/CD
- Secret Management with GitHub
- Static Application Security Testing (SAST)
- Dependency and Supply Chain Security (SCA)