Skip to main content

Overview

CodeAnt AI’s Software Composition Analysis (SCA) feature analyzes third-party packages and dependencies for vulnerabilities, ensuring your applications are protected from supply chain risks. By scanning your package manifests and lock files, we identify security issues in open-source components and provide actionable insights to keep your dependencies secure.

Key Features

  • Vulnerability Database Integration: Continuously updated vulnerability detection using CVE databases and security advisories.
  • Severity Filtering: Filter vulnerabilities by severity (Critical, High, Medium, Low) to prioritize remediation efforts.
  • Package Health Analysis: Assess the overall health and maintenance status of your dependencies.
  • Multi-Ecosystem Support: Analyze packages across npm, PyPI, Maven, RubyGems, NuGet, Go modules, and more.
  • License Compliance: Identify license risks and ensure compliance with your organization’s policies.
  • Dependency Tree Visualization: Understand the full dependency chain and identify transitive vulnerabilities.
  • Update Recommendations: Get specific version recommendations for secure package updates.
  • Autofixing: Automatically update vulnerable packages to secure versions (Coming soon).

How It Works

  1. Select Repository: Choose the repository containing the package manifests you want to analyze.
  2. Scan Dependencies: The system automatically detects and scans package.json, requirements.txt, pom.xml, Gemfile, and other dependency files.
  3. Vulnerability Detection: Third-party packages are analyzed against known vulnerability databases and security advisories.
  4. Filter Results: Use filtering options to focus on critical vulnerabilities or specific package ecosystems.
  5. Review Impact: Examine detailed vulnerability information including CVE details, CVSS scores, and exploitation likelihood.
  6. Remediation Guidance: Receive specific recommendations for updating or replacing vulnerable packages.
  7. Autofix (Coming Soon): Automatically update vulnerable dependencies to secure versions with compatibility checks.

Supported Package Managers

  • JavaScript/TypeScript: npm, yarn, pnpm
  • Python: pip, pipenv, poetry
  • Java: Maven, Gradle
  • Ruby: Bundler
  • .NET: NuGet
  • Go: Go modules
  • PHP: Composer
  • Rust: Cargo

Private Repository Scanning

CodeAnt AI now supports scanning private repositories as part of SCA (Software Composition Analysis). This enhancement allows vulnerability detection and risk assessment to include private dependency libraries, providing a more complete and accurate security posture.

How to Configure Private Repositories

When configuring SCA for your repository, you can include private repositories that contain dependencies used by your application.

Steps to Add Private Repositories

  1. Navigate to SCA Configuration: Go to the SCA settings for your repository.
  2. Add Private Repositories: Click the “Add” button to include private repositories in your SCA scan.
  3. Specify Repository Details:
    • Repository: Enter the repository path (e.g., org/private-library-1)
    • Branch: Specify the branch to scan (e.g., main, develop), or leave empty to use the default branch
  4. Save Configuration: Once you’ve added all required private repositories, save your configuration.

Benefits of Private Repository Scanning

When private repositories are configured, SCA results will aggregate vulnerabilities and metrics across all scanned repositories, including:
  • The primary (triggering) repository
  • All configured private repositories
This provides a comprehensive view of:
  • Total vulnerabilities across all dependencies (public and private)
  • Healthy packages from both public and private sources
  • Overall risk assessment including private dependencies
  • Complete dependency chain visibility

Example Use Case

Scenario: Your e-commerce application (myorg/ecommerce-app) depends on two internal private libraries:
  • myorg/payment-sdk - Custom payment processing library
  • myorg/auth-library - Internal authentication library
Configuration:
  1. In SCA settings for myorg/ecommerce-app, click “Add” to include private repositories
  2. Add the following:
    • Repository: myorg/payment-sdk, Branch: main
    • Repository: myorg/auth-library, Branch: develop
Results: Without private repository scanning, you would only see vulnerabilities from public packages like express, lodash, etc. in your main application. With private repository scanning enabled:
  • 18 vulnerabilities detected (instead of just 5 from public packages)
  • 150 total packages scanned (including dependencies from your private libraries)
  • Complete dependency chain showing vulnerabilities in both payment-sdk and auth-library
This ensures vulnerabilities in your internal dependencies don’t go undetected, providing complete visibility into your application’s security posture.