Overview

CodeAnt AI’s Software Composition Analysis (SCA) feature analyzes third-party packages and dependencies for vulnerabilities, ensuring your applications are protected from supply chain risks. By scanning your package manifests and lock files, we identify security issues in open-source components and provide actionable insights to keep your dependencies secure.

Key Features

  • Vulnerability Database Integration: Continuously updated vulnerability detection using CVE databases and security advisories.
  • Severity Filtering: Filter vulnerabilities by severity (Critical, High, Medium, Low) to prioritize remediation efforts.
  • Package Health Analysis: Assess the overall health and maintenance status of your dependencies.
  • Multi-Ecosystem Support: Analyze packages across npm, PyPI, Maven, RubyGems, NuGet, Go modules, and more.
  • License Compliance: Identify license risks and ensure compliance with your organization’s policies.
  • Dependency Tree Visualization: Understand the full dependency chain and identify transitive vulnerabilities.
  • Update Recommendations: Get specific version recommendations for secure package updates.
  • Autofixing: Automatically update vulnerable packages to secure versions (Coming soon).

How It Works

  1. Select Repository: Choose the repository containing the package manifests you want to analyze.
  2. Scan Dependencies: The system automatically detects and scans package.json, requirements.txt, pom.xml, Gemfile, and other dependency files.
  3. Vulnerability Detection: Third-party packages are analyzed against known vulnerability databases and security advisories.
  4. Filter Results: Use filtering options to focus on critical vulnerabilities or specific package ecosystems.
  5. Review Impact: Examine detailed vulnerability information including CVE details, CVSS scores, and exploitation likelihood.
  6. Remediation Guidance: Receive specific recommendations for updating or replacing vulnerable packages.
  7. Autofix (Coming Soon): Automatically update vulnerable dependencies to secure versions with compatibility checks.

Supported Package Managers

  • JavaScript/TypeScript: npm, yarn, pnpm
  • Python: pip, pipenv, poetry
  • Java: Maven, Gradle
  • Ruby: Bundler
  • .NET: NuGet
  • Go: Go modules
  • PHP: Composer
  • Rust: Cargo