惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

GbyAI
GbyAI
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
P
Proofpoint News Feed
L
Lohrmann on Cybersecurity
S
Secure Thoughts
Attack and Defense Labs
Attack and Defense Labs
人人都是产品经理
人人都是产品经理
Stack Overflow Blog
Stack Overflow Blog
W
WeLiveSecurity
O
OpenAI News
SecWiki News
SecWiki News
博客园 - Franky
NISL@THU
NISL@THU
Microsoft Azure Blog
Microsoft Azure Blog
T
Tor Project blog
Microsoft Security Blog
Microsoft Security Blog
aimingoo的专栏
aimingoo的专栏
Security Latest
Security Latest
H
Hacker News: Front Page
Google Online Security Blog
Google Online Security Blog
P
Privacy & Cybersecurity Law Blog
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
D
Darknet – Hacking Tools, Hacker News & Cyber Security
月光博客
月光博客
李成银的技术随笔
Spread Privacy
Spread Privacy
F
Full Disclosure
F
Fortinet All Blogs
T
The Exploit Database - CXSecurity.com
Vercel News
Vercel News
AWS News Blog
AWS News Blog
WordPress大学
WordPress大学
IntelliJ IDEA : IntelliJ IDEA – the Leading IDE for Professional Development in Java and Kotlin | The JetBrains Blog
IntelliJ IDEA : IntelliJ IDEA – the Leading IDE for Professional Development in Java and Kotlin | The JetBrains Blog
V
Visual Studio Blog
J
Java Code Geeks
博客园 - 三生石上(FineUI控件)
G
Google Developers Blog
云风的 BLOG
云风的 BLOG
博客园 - 司徒正美
Engineering at Meta
Engineering at Meta
Last Week in AI
Last Week in AI
P
Palo Alto Networks Blog
宝玉的分享
宝玉的分享
T
True Tiger Recordings
N
News and Events Feed by Topic
酷 壳 – CoolShell
酷 壳 – CoolShell
Cisco Talos Blog
Cisco Talos Blog
N
News | PayPal Newsroom
S
SegmentFault 最新的问题
Jina AI
Jina AI

Aikido Security's Blog

Google API keys keep working after you delete them The Wild West of VS Code extensions and how a poisoned extension breached GitHub GitHub breached via a malicious VS Code extension: why developer devices are the real target Microsoft's durabletask package on PyPi Compromised. Mini Shai Hulud attacks again... again! Cloud Security Architecture: Principles, Frameworks, and Best Practices Cloud Security for DevOps: Securing CI/CD and IaC Compliance in the Cloud: Frameworks You Can’t Ignore Using Generative AI for Pentesting: What It Can (and Can’t) Do Top Cloud Security Tools for Modern Teams Top 8 Checkmarx Alternatives for SAST and Application Security Mini Shai-Hulud strikes again: npm worm compromises hundreds of @antv packages The Top 6 Best AI Tools for Coding in 2025 Top XBOW Alternatives In 2026 Top SonarQube Alternatives in 2025 Top 7 CodeRabbit Alternatives for AI Code Review in 2026 Best Orca Security Alternatives for Cloud & CNAPP Security 2026 Top 6 Wiz.io Alternatives for Cloud & Application Security in 2026 Top DevSecOps Tools to Replace GitLab Ultimate’s Security Features Top 5 GitHub Advanced Security Alternatives for DevSecOps Teams in 2026 Best 6 Veracode Alternatives for Application Security (Dev-First Tools to Consider) Top 10 Software Composition Analysis (SCA) tools in 2026 Top 10 AI-powered SAST tools in 2026 Top 12 Dynamic Application Security Testing (DAST) Tools in 2026 Penetration testing vs. red teaming: what’s the difference? Pentest GPT: How LLMs Are Reshaping Penetration Testing One year of Opengrep: What we built and what’s next Shadow AI is a fear response, and banning it makes it worse Mini Shai-Hulud Is Back: npm Worm Hits over 160 Packages, including Mistral and Tanstack Security Checklist for GitHub Actions Coinbase's layoffs signal a dangerous move into a vibe-coding security mess Top OWASP scanners in 2026 for web application security Rolling out developer security in a 5,000+ engineer organization Security metamorphosis: a Mythos-ready architecture checklist for autonomous AI attacks Why browser extensions are a major security risk and what you can do about it Popular PyTorch Lightning Package Compromised by Mini Shai-Hulud Aikido integrates with AWS Kiro: Catching in review doesn't scale anymore Top CVE scanners in 2026 to identify known vulnerabilities A practical CTO security checklist to be Mythos-ready Mini Shai-Hulud Targets SAP npm Packages With a Bun-Based Secret Stealer Someone published four versions of a fake "tanstack" package in 27 minutes to steal your .env files It's time to treat browser extensions like supply chain attack vectors Is Shai-Hulud Back? Compromised Bitwarden CLI Contains a Self-Propagating npm Worm GPT-Proxy Backdoor in npm and PyPI turns Servers into Chinese LLM Relays Introducing Endpoint Protection: Security for Developer Devices Multiple Cross-Site Scripting (XSS) Vulnerabilities in Mailcow Reliable CVE sources in the age of NIST NVD cutbacks Axios CVE-2026-40175: a critical bug that’s… not exploitable Bug bounty isn’t dead, but the old model is breaking GlassWorm goes native: New Zig dropper infects every IDE on your machine Aikido Attack finds multiple 0-days in Hoppscotch The cybersecurity doomerism around Mythos doesn't match what we see on the ground axios compromised on npm: maintainer account hijacked, RAT deployed Popular telnyx package compromised on PyPI by TeamPCP Aikido × Lovable: Vibe, Fix, Ship CanisterWorm Gets Teeth: TeamPCP's Kubernetes Wiper Targets Iran TeamPCP deploys CanisterWorm on NPM following Trivy compromise Security testing is validating software that no longer exists Aikido Recognized by Frost & Sullivan with the 2026 Customer Value Leadership Award in ASPM GlassWorm Hides a RAT Inside a Malicious Chrome Extension fast-draft Open VSX Extension Compromised by BlokTrooper Glassworm Strikes Popular React Native Phone Number Packages Glassworm Is Back: A New Wave of Invisible Unicode Attacks Hits Hundreds of Repositories How Security Teams Fight Back Against AI-Powered Hackers Introducing Betterleaks, an open source secrets scanner by the author of Gitleaks Trump’s 2026 cybersecurity strategy: From compliance to consequence How does AI pentesting work with compliance? What continuous pentesting actually requires Rare Not Random: Using Token Efficiency for Secrets Scanning Persistent XSS/RCE using WebSockets in Storybook’s dev server Why Determinism Is Still a Necessity in Security WAF vs. RASP vs. ADR Introducing Aikido Infinite: A new model of self-securing software How Aikido secures AI pentesting agents by design Astro Full-Read SSRF via Host Header Injection How to Get Your Board to Care About Security (Before a Breach Forces the Issue) What is Slopsquatting? The AI Package Hallucination Attack Already Happening SvelteSpill: A Cache Deception Bug in SvelteKit + Vercel Top 6 Wiz Code Alternatives Aikido recognized as Platform Leader in Latio Tech's 2026 Application Security Report From detection to prevention: How Zen stops IDOR vulnerabilities at runtime npm backdoor lets hackers hijack gambling outcomes Introducing Upgrade Impact Analysis: When breaking changes actually matter to your code Why Trying to Secure OpenClaw is Ridiculous Claude Opus 4.6 found 500 vulnerabilities. What does this change for software security? Introducing Aikido Expansion Packs: Safer defaults inside the IDE International AI Safety Report 2026: What It Means for Autonomous AI Systems Self-Securing Software: What It Is, Why It Matters, and How It Works What Is Continuous Pentesting? npx Confusion: Packages That Forgot to Claim Their Own Name Introducing Aikido Package Health: a Better Way to Trust Your Dependencies AI Pentesting: Minimum Safety Requirements for Security Testing Secure SDLC for Engineering Teams (+ Checklist) Fake Clawdbot VS Code Extension Installs ScreenConnect RAT G_Wagon: npm Package Deploys Python Stealer Targeting 100+ Crypto Wallets Gone Phishin': npm Packages Serving Custom Credential Harvesting Pages Malicious PyPI Packages spellcheckpy and spellcheckerpy Deliver Python RAT Top 10 AI Security Tools For 2026 Agent Skills Are Spreading Hallucinated npx Commands Understanding Open-Source License Risk in Modern Software The CISO Vibe Coding Checklist for Security
Supply Chain Security: The Ultimate Guide to Software Composition Analysis (SCA) Tools
2026-05-19 · via Aikido Security's Blog

Software Composition Analysis (SCA) is the frontline tool for securing open-source dependencies across your codebase, containers, and cloud. This guide explains what SCA does, why it matters, how modern tools reduce noise, and practical steps to find and fix real risks — not just noisy alerts.

TL;DR

  • About 70–90% of application code often comes from open-source dependencies. That creates a large attack surface.
  • SCA tools scan your dependencies (including transitive ones), match them to CVE databases, and generate remediation guidance or SBOMs.
  • False positives are common — modern SCA uses reachability analysis and dev-vs-prod detection to cut noise by ~80%.
  • Fix strategy: auto-upgrade non-breaking changes, triage breaking upgrades, and use autofix/PR generation to speed remediation.

SCA, also called dependency scanning or open-source dependency scanning, identifies every open-source package your app uses, then checks whether those packages (and specific versions) are linked to known vulnerabilities. The output helps teams decide what to patch, update, or ignore.

Why SCA matters

Modern applications are layered: apps depend on libraries, which depend on other libraries — a Russian-doll of dependencies. A vulnerability in a foundational project can ripple across the entire supply chain. The Log4j incident is a prime example: a critical remote-code-execution flaw in a widely used logging library made vast parts of the internet exploitable.

Log4j logo with the text 'LOG4J' and the Java cup icon centered on a purple grid background.

Log4j — a reminder of widespread supply-chain risk.

How SCA works — the basics

  1. Inventory: SCA parses dependency manifests (package.json, package-lock.json, requirements.txt, Pipfile.lock, Gemfile.lock, etc.) to list direct and transitive dependencies.
  2. Matching: It compares package names and versions against vulnerability feeds (NVD, MITRE CVE, GitHub Advisory Database and other sources).
  3. Prioritization: Modern SCA adds context — reachability, environment (dev vs production), and exploitability — to prioritize findings.

Common dependency files

  • Node: package.json (direct deps) and package-lock.json (transitive deps)
  • Python: requirements.txt, pipfile.lock
  • Ruby: Gemfile and Gemfile.lock

SBOMs — the useful side quest

A Software Bill of Materials (SBOM) is a machine-readable inventory of the components and versions used in your software.

SBOMs are required by many compliance regimes and government contracts. Most SCA tools can generate SBOMs (SPDX, CycloneDX) alongside vulnerability reports.

CVEs and vulnerability feeds

When security researchers discover an issue they assign a CVE identifier and publish details including affected versions. SCA tools aggregate CVE data from sources like NVD, MITRE, and GitHub Advisories to determine whether your dependency versions match any known vulnerable ranges.

Quick scan example — scanning dependencies

Lightweight scanners (e.g., a Trivy-style CLI) can enumerate dependencies and report matches to vulnerability databases in seconds. Scan output can be exported as JSON and fed into dashboards or automated workflows.

Terminal window showing the command prompt with 'trivy fs' typed and a small presenter thumbnail overlay.

Running a quick Trivy filesystem scan in the terminal to enumerate dependencies.

Interpreting results: fixes, breaking changes, and scale

At first glance remediation looks simple — upgrade to a non-vulnerable version. In practice, upgrades can introduce breaking changes that cause regressions or require extensive testing. When an application has hundreds of vulnerable transitive packages, blind upgrading is often unrealistic.

Close-up of a 'Breaking Changes' modal showing a 'Found breaking changes' warning and a table of versions and descriptions in an SCA tool; presenter inset at bottom-right.

Breaking changes summary for a dependency — use this to triage breaking upgrades.

Two remediation buckets

  • Non-breaking upgrades: straightforward upgrades that don’t change behavior — prioritize and autofix these first.
  • Breaking upgrades: require deeper triage, compatibility testing, or code changes. These are the smaller but heavier lift items.

False positives and reachability analysis

Many flagged vulnerabilities are not exploitable in your context. Two common reasons:

  • Dev-only dependencies: packages used only at build time are not reachable in production.
  • Unreachable functions: A vulnerable function may exist in a package, but your app (and other dependencies) never call it.

Reachability analysis (call-tree analysis) maps how a top-level dependency pulls in downstream packages and whether the vulnerable code paths are actually invoked by your runtime. This removes noise and focuses teams on real risk.

SCA dashboard showing y18n issue overview with 'Does this affect me?' reachability result and autofix suggestion plus presenter thumbnail

Reachability analysis shows the vulnerability cannot affect our environment.

Practical example: a prototype pollution alert that isn't exploitable

Consider a widely used Node package that has a prototype-pollution vulnerability in a function called setLocale. If none of the code paths in your call tree invoke setLocale, the vulnerability is effectively not exploitable for your application — and can be safely deprioritized after verification.

Modern SCA features that change the game

  • Auto-ignore with reasons: Tools can auto-suppress findings when a dependency is only used in dev or when the affected function is not reachable, drastically cutting false positives.
  • Reachability / call tree visualization: Visualize the dependency path from your project to the vulnerable package to verify exploitability.
  • Breaking-change flags: Mark fixes that may introduce compatibility issues so teams can prioritize safe upgrades first.
  • Autofix / PR generation: Automatically generate dependency upgrade commits or pull requests for fixes that are low-risk.

Table titled 'Reasons for ignoring' showing entries such as 'Linux distro is not affected', 'Dependency not used in production', counts of issues, and a short description, with a presenter thumbnail.

Top reasons the SCA tool auto-ignores findings, used for triage and noise reduction.

Recommended remediation workflow

  1. Run SCA scans as part of CI to catch issues early.
  2. Auto-apply non-breaking fixes via autofix/PR generation and run tests.
  3. Triage breaking changes: create tickets, schedule compatibility testing, or plan phased upgrades.
  4. Use reachability analysis for triage: ignore verified non-reachable CVEs and document the justification.
  5. Maintain SBOMs for compliance and faster incident response.

Tooling choices — a pragmatic take

Open-source CLI scanners (Trivy, Grype) are excellent for quick checks and CI integration. Enterprise platforms add reachability analysis, automated prioritization, PR-based autofixes, and centralized dashboards to manage noise and scale remediation across teams. Choose based on the size of your codebase, compliance needs, and how much automation you want in remediation.

Key takeaways

  • SCA is essential because most modern apps rely heavily on open-source components.
  • Not every flagged CVE is exploitable — reachability analysis and dev/prod context are crucial to separate real risk from noise.
  • Prioritize non-breaking upgrades and automate them where possible. Reserve manual effort for breaking updates that require deeper engineering work.
  • Generate and maintain SBOMs for transparency and compliance.

Get started

Make SCA part of your CI/CD pipeline today: run regular scans, generate SBOMs, and enable autofix for safe, fast remediation. Start by scanning your repo with a lightweight CLI scanner, review reachability results for the highest-severity alerts, then incorporate automated fixes into pull-request workflows.

Protecting your software supply chain is both a technical and a process challenge. The right SCA tooling + a practical remediation workflow reduces risk and keeps engineering moving fast. Try out Aikido Security today!

此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。