Starting an SCA Scan

To initiate a new scan in the UI:

1. On the Home page, navigate to the Software Composition Analysis tab.
2. In the SBOM File section, upload the project as an SBOM file in Cyclone DX format (uploading an archive with the SBOM file or a link to the SBOM file in the repository will result in a scan error). DerScanner can automatically generate an SBOM file from the source code for projects written in JavaScript/TypeScript, PHP, Python, Ruby, C#/VB.NET, C/C++/Objective-C, Go, Java/Kotlin/Scala, Rust, Swift, and Erlang.
3. In the settings, select the necessary types of analysis:
   • SCA — for vulnerability scanning
   • Supply chain analysis — to assess the health rating of the used libraries based on 8 security metrics, and to track the risk of attacks such as MavenGate, Starjacking, or Typosquatting
   • License risk analysis — to verify compliance with licensing policies.
4. If needed, additionally configure the analysis (more details in the Settings section Settings).
5. Click Start Scan.

For a successful SBOM file generation, an archive or repository (Git, Subversion) must contain both the source code and the corresponding manifests. There are two options of building an SBOM file from the source code:

• Online — if DerScanner has access to the Internet. To build an SBOM file from the source code, grant DerScanner access to the following resources:
  • https://www.google.com/
  • https://www.npmjs.com
  • https://github.com/
  • https://maven.pkg.github.com/
  • https://pkg.go.dev/
  • https://cocoapods.org/
  • https://packagist.org/
  • https://crates.io/
  • https://rubygems.org/
  • https://rebar3.org/

Depending on the project, DerScanner may visit one or more websites from the list.

• Offline — if DerScanner does not have access to the Internet. In this case, the generator builds an SBOM file only from data already available in its local database.