Black Duck® SCA offers multiple open source scanning technologies, combining build process monitoring, file system scanning, and source code analysis to track all open source in use, including components most SCA tools miss.

Dependency Analysis

Integrates with build tools like Maven and Gradle to track both declared and transitive open source dependencies in applications built in languages like Java and C#.

Codeprint Analysis

Maps string, file, and directory information to the Black Duck® KnowledgeBase™ to identify open source and third-party components in applications built using languages like C & C++.

Binary Analysis

Identifies open source within compiled application libraries and executables. No source code or build system access required.

Snippet Analysis

Finds parts of open source code that have been copied within proprietary code by developers or generative AI coding tools, which can potentially expose you to license violations and conflicts.

Container Scanning

Uses a combination of binary and CodePrint analysis to identify open source dependencies in container images, layer by layer.

Why package declarations aren’t enoug

Most other solutions rely solely on package manager declarations to identify open source components. But these solutions miss a lot of open source that may be in your code, including:

  • Open source that developers add to your code but don’t declare in package manifests
  • Open source in languages like C and C++ that don’t use standard package managers
  • Open source built into containers
  • Open source within compiled binaries and build artifacts
  • Open source introduced by AI coding assistants

Simple integration into your CI/CD pipeline

Our SCA integrations make it easy to incorporate open source scanning into your existing development tools and processes. This makes it possible to automatically identify which languages and package managers you’re using, configure the appropriate integrations for discovery, and find the most effective way to analyze your code.

Black Duck SCA technology

Comprehensive KnowledgeBase

Enhanced vulnerability data

End-to-end DevOps integrations

