Skip to content

SCA connectors

SCA connectors ingest findings keyed on dependencies with CVE correlation.

SCM-first dependency

Connectors in this category depend on at least one SCM connector being installed first. Their findings reference silver.repositories.repository_id populated by SCM. Walk the SCM category before installing a SCA connector.

Capability scope

SCA sources emit findings keyed on dependencies: package name, installed version, ecosystem, CVE identifier, and optional PURL. Severity vocabularies extend up to five CVSS-aligned labels (None, Low, Medium, High, Critical), with some tools adding a sixth for unassigned or informational findings. The specification requires severity lookup tables for each tool to the documented four level scale as for SAST.

SCA data is frequently centered on SBOM (CycloneDX or SPDX) and correlated against external advisory sources (NVD, GHSA). Server-based SCA tools expose paginated REST APIs with update timestamp high-water-mark columns. Authentication is PAT or API key based, as for SAST. CLI-based SCA tools (for example, package manager audit commands invoked in CI/CD) have no incremental hook and SHALL be treated under the full reload strategy. SCA integrated into the platform (where SCA is hosted in the SCM platform) shares the authentication and pagination of the host platform.

The CI/CD step vs. periodic global axis applies identically here. CI/CD step SCA (package manager audits, Semgrep Supply Chain in pipeline, Dependabot alerts attached to pull requests) produces findings scoped to the scanned commit. Periodic global SCA (Dependency-Track server scanning all enrolled SBOMs on a schedule) produces findings scoped to the full SBOM inventory at scan time. A deployment may run both and reconcile duplicates via the SCA dedup key (repository_id, package_name, cve_id).

Documented mapping contribution

SCA sources populate the Silver finding table with SCA dedup key (repository_id, package_name, cve_id). See Canonical mapping.

Skills

Four skills cover the connector lifecycle for SCA sources, with facts for the category at Skills. The procedural body of each skill is documented at Connector skills.

Connectors in this category