Back to course

SCA: Software Composition Analysis

Modern DevSecOps (The Hard Way)

The Vulnerable Dependencies Problem

Modern apps are 80% third-party libraries. If your npm or pip packages are vulnerable, your app is vulnerable.

Tool: Trivy

Trivy scans project dependencies for known CVEs (Common Vulnerabilities and Exposures).

Command:

trivy fs . (Scan the current filesystem). It will give you a list of high/critical vulnerabilities in your package-lock.json or requirements.txt.