Introducing Software Composition Analysis

The FirewallThe Firewall
3 min read

Understanding and securing your software supply chain has never been more critical in today's increasingly complex software development landscape. We're excited to announce the latest addition to The Firewall Appsec Platform: our comprehensive Software Composition Analysis (SCA) tool, designed to give you unprecedented visibility into your software dependencies and their security implications.

Why SCA Matters

Modern applications are built on thousands of open-source packages and dependencies. While this accelerates development, it also introduces potential security vulnerabilities through the software supply chain. Our new SCA feature helps you identify, track, and remediate these risks before they become problems.

Powerful Features Out of the Box

Intelligent Vulnerability Management

Our SCA tool categorizes vulnerabilities based on:

  • Severity Levels: Critical, High, Medium, Low, and Unknown

  • Fix Status: Available fixes vs. No fixes available

  • Comprehensive Details: Including EPSS scores, license information, and detailed CVE mappings

Smart Defaults for Immediate Value

We've carefully chosen default settings to get you started quickly while maintaining robust security:

  • Focus on main/master branch scanning

  • Prioritization of critical and high vulnerabilities

  • Emphasis on vulnerabilities with available fixes

  • Runtime SBOM generation for the master branch

Key Features Deep Dive

Repository Scanning

Every repository in your ecosystem benefits from:

  • Comprehensive package CVE scanning

  • On-demand SBOM generation with branch selection

  • Critical and high vulnerability highlighting

  • Total vulnerability count tracking

  • Configurable critical branch selection

Pull Request Integration

Secure your development workflow with:

  • Automated source branch package scanning

  • Comprehensive vulnerability reporting across all severity levels

  • Configurable PR comments focusing on Critical and High vulnerabilities with fixes

  • Optional PR status checks and blocking capabilities

Intelligent Allowlist System

Our sophisticated allowlisting mechanism helps manage unavoidable vulnerabilities:

  • Automatic allowlist management for unfixable vulnerabilities

  • Daily monitoring of allowlisted CVEs for newly available fixes

  • User-controlled allowlisting with bulk incident management

  • Automatic re-activation when fixes become available

Real-World Impact

Let's look at how these features work in practice:

  • During Development:

    1. A developer creates a PR with new dependencies

    2. Our SCA tool automatically scans the changes

    3. Critical vulnerabilities are immediately flagged

    4. The team can make informed decisions before merging

  • Continuous Monitoring:

    1. Previously "unfixable" vulnerabilities in production code are automatically allowlisted

    2. When fixes become available, teams are automatically notified

    3. Incidents are reopened with clear remediation paths

Getting Started

The new SCA feature is now available on The Firewall Project. To get started:

  1. Enable SCA scanning in your repository settings

  2. Configure your preferred severity thresholds and PR behaviors

  3. Review your first SBOM and vulnerability report

Conclusion

Software Composition Analysis is a crucial component of modern application security. With The Firewall Platform's new SCA capabilities, we're securing your software supply chain easier than ever, so start using SCA today to gain visibility into your dependencies and protect your applications from vulnerable third-party code.

Roadmap

Looking ahead, we also have exciting features in our roadmap such as support for transitive dependencies, allowing you to gain complete visibility into your entire dependency tree, not just direct dependencies.

We are committed to continuously improving our Software Composition Analysis capabilities to provide you with the most comprehensive and effective protection for your software supply chain.

๐Ÿ‘‰ Get started: https://github.com/TheFirewall-code/TheFirewall-Secrets-SCA
๐Ÿ“š Documentation: https://docs.thefirewall.org
๐Ÿ’ก Join our community: https://discord.gg/jD2cEy2ugg
๐Ÿ“š Blogs: https://blogs.thefirewall.org

0
Subscribe to my newsletter

Read articles from The Firewall directly inside your inbox. Subscribe to the newsletter, and don't miss out.

software-supply-chain-security

Written by

The Firewall
The Firewall