Checkmarx is a Leader in the 2021 Gartner Magic Quadrant for Application Security Testing

Checkmarx Software
Composition Analysis

Next-gen Open Source Security

Download Datasheet Request a Demo
Hero Image

Checkmarx Software Composition Analysis (CxSCA)

Today's software is constructed using open source components and third-party libraries, tied together with custom code. Hackers target vulnerable open source components to access sensitive and valuable data, while data protection regulations become more stringent in an effort to encourage better software security practices. While all this is happening, DevOps is taking the world by storm and the burden of securing software is rapidly expanding under the purview of the developers who create it.

Trust us, we get it. You're caught between a strong desire to innovate and a sincere dislike of having your company’s name on the news as “the most recent data breach.”

That's why we made CxSCA, the most effective next-gen software composition analysis solution designed to help development teams ship secure software quickly while giving AppSec teams the insight and control they need to improve your software security risk posture.

Identify Open Source with Confidence

CxSCA quickly scans your software’s codebase to detect open source libraries, including direct and transitive dependencies, identify the specific versions in use, and any associated vulnerabilities and licenses. CxSCA has been architected to minimize false positives, eliminating wasted time parsing through inaccurate results.

Minimize Open Source Security and License Risks

Access summary metrics and detailed breakouts of security risks resulting from vulnerable open source component versions. Visualize potential risks to intellectual property or copyright resulting from open source license conflicts or non-compliance. Evaluate potential risks to operations resulting from shifts in community activity for a given component.

Prioritize Exploitable Vulnerabilities

CxSCA's “exploitable path” capability leverages Checkmarx's industry-leading source analysis technologies to identify the vulnerable components that are in the execution path of the application, allowing you to focus remediation efforts on the open source vulnerabilities that actually pose a threat. Don't worry, CxSCA users get this benefit even without a license to CXSAST.

Accelerate Informed Remediation

Get detailed remediation guidance from Checkmarx's experienced security research team and triage vulnerabilities based on verified exploitability. Optimize your efforts with automatic dependency path visualization and filter out libraries that are used for development but not in production.

Integrate and Automate for DevSecOps

Avoid impeding development workflows by integrating CxSCA throughout the SDLC and CI/CD pipelines, from code repos to build to issue management. Leverage plugins, APIs, or CxFlow - Checkmarx's end-to-end DevOps automation tool - to trigger scans, share results, and reduce time-to-remediation.

Streamline Operations for SCA and SAST

Enhance your experience when you add both CxSCA and CXSAST - Checkmarx's industry-leading SAST solution - into your AppSec program. CxSCA and CxSAST support unified user management and access control, as well as unified project creation and scan initiation so you can analyze both custom code and open source from a single plugin.

Leverage Industry-leading Security Research

CxSCA's database of open source libraries and vulnerabilities iis cultivated by the Checkmarx software security research team, who have been widely recognized for their thorough and consistent discoveries. This team empowers CxSCA with risk details, remediation guidance, and Checkmarx-exclusive vulnerabilities (with no CVE at the time of discovery) for greater coverage above and beyond the NVD.

Measure and Report Open Source Risks

Generate and export reports detailing risks in the open source components that compose your software, or extract data directly via integrations and APIs, Track your software security risk profile over time to monitor improvement.

Analyze Open Source in All Common Languages and Frameworks

CxSCA analyzes the most popular programming languages and frameworks, enabling you to identify and eliminate open source security and license risks in both new and legacy applications.

Additional Resources


Checkmarx Software Composition Analysis

Get the Datasheet


Software Composition Analysis: The Ultimate Guide to SCA, from Checkmarx


Android Camera App – Gaining Control Without Permissions

Ready to Learn More?

Request a Demo