--- id: wiki-2026-0508-sca-fundamentals title: SCA Fundamentals (Software Composition Analysis) category: 10_Wiki/Topics status: verified canonical_id: self aliases: [Software Composition Analysis, Dependency Scanning, OSS Security] duplicate_of: none source_trust_level: A confidence_score: 0.9 verification_status: applied tags: [sca, security, devsecops, sbom, supply-chain] raw_sources: [] last_reinforced: 2026-05-10 github_commit: pending tech_stack: language: Multi framework: Snyk / Dependabot / Trivy / Grype --- # SCA Fundamentals (Software Composition Analysis) ## 매 한 줄 > **"매 third-party (OSS) dependency 의 vuln/license/integrity scan — 매 modern app 의 80%+ 가 OSS 코드라는 현실 위의 baseline 통제"**. 매 Heartbleed (2014), Equifax/Struts (2017), Log4Shell (2021), xz-utils backdoor (2024) 가 매 SBOM + SCA 를 매 NIST/EU CRA/US EO 14028 의 의무 사항 으로 격상. 매 2026 supply chain 공격 시대의 first line of defense. ## 매 핵심 ### 매 What SCA scans - **Direct deps**: package.json, requirements.txt, go.mod, Cargo.toml. - **Transitive deps**: full dependency tree (often 10x direct). - **Container images**: OS packages + app deps (Trivy, Grype). - **License**: GPL/AGPL/proprietary compliance. - **Integrity**: signature, provenance (Sigstore, SLSA). ### 매 Vulnerability sources - **NVD/CVE**: NIST National Vulnerability Database. - **GitHub Advisory Database (GHSA)**: ecosystem-aware. - **OSV.dev**: Google distributed vuln DB. - **Vendor advisories**: Snyk DB, Mend, Sonatype OSS Index. - **EPSS**: Exploit Prediction Scoring System (probabilistic priority). ### 매 SBOM formats - **SPDX**: ISO/IEC 5962, Linux Foundation. - **CycloneDX**: OWASP, security-focused, VEX support. - **VEX** (Vulnerability Exploitability eXchange): "vulnerable but not exploitable in our config". ### 매 응용 1. PR-time scanning (Dependabot, Snyk PR check). 2. Container scan in CI (Trivy in GitHub Actions). 3. SBOM generation for compliance (EU CRA, US EO). 4. Runtime correlation (Sysdig, Wiz — used vs unused vulns). 5. License audit before release. ## 💻 패턴 ### npm audit + fix in CI ```bash npm audit --audit-level=high --json > audit.json # Auto-fix non-breaking npm audit fix # Force breaking fix only on dev branches npm audit fix --force ``` ### Trivy container scan (GitHub Actions) ```yaml - name: Run Trivy uses: aquasecurity/trivy-action@master with: image-ref: 'ghcr.io/org/app:${{ github.sha }}' format: 'sarif' output: 'trivy.sarif' severity: 'CRITICAL,HIGH' exit-code: '1' ignore-unfixed: true - uses: github/codeql-action/upload-sarif@v3 with: { sarif_file: 'trivy.sarif' } ``` ### CycloneDX SBOM (Python) ```bash pip install cyclonedx-bom cyclonedx-py requirements -i requirements.txt -o sbom.json --format json # Validate cyclonedx validate --input-file sbom.json ``` ### Dependabot config (GitHub) ```yaml # .github/dependabot.yml version: 2 updates: - package-ecosystem: "npm" directory: "/" schedule: { interval: "weekly" } open-pull-requests-limit: 10 groups: minor-and-patch: update-types: ["minor", "patch"] - package-ecosystem: "docker" directory: "/" schedule: { interval: "daily" } ``` ### EPSS-based prioritization ```python import requests def epss_score(cve_id): r = requests.get(f"https://api.first.org/data/v1/epss?cve={cve_id}").json() if r["data"]: return float(r["data"][0]["epss"]), float(r["data"][0]["percentile"]) return None, None # Prioritize: high CVSS AND high EPSS (likely exploited in wild) for cve in scan_results: epss, pct = epss_score(cve.id) if cve.cvss >= 7.0 and epss and epss > 0.5: page_oncall(cve) ``` ### Sigstore cosign verification (provenance) ```bash # Verify image was built by trusted GitHub Actions workflow cosign verify ghcr.io/org/app:v1.2.3 \ --certificate-identity "https://github.com/org/repo/.github/workflows/release.yml@refs/tags/v1.2.3" \ --certificate-oidc-issuer "https://token.actions.githubusercontent.com" ``` ### VEX statement (CycloneDX) ```json { "vulnerabilities": [{ "id": "CVE-2024-XXXX", "ratings": [{"severity": "critical"}], "analysis": { "state": "not_affected", "justification": "code_not_reachable", "detail": "Vulnerable function in lib X is never called; entrypoint disabled." } }] } ``` ### Grype with custom policy ```bash grype dir:./app -o sarif --fail-on high \ --only-fixed \ --exclude './vendor/**' ``` ## 매 결정 기준 | 상황 | Approach | |---|---| | Open source project | Dependabot (free, GitHub-native) | | Polyglot enterprise | Snyk / Mend / Sonatype Lifecycle | | Container-heavy | Trivy / Grype + admission controller | | Air-gapped | Self-hosted DB (Anchore Enterprise, Trivy with local DB) | | Compliance (EU CRA, FedRAMP) | SBOM + VEX + signed attestations (SLSA L3+) | **기본값**: Trivy in CI + Dependabot for upgrades + CycloneDX SBOM + Sigstore signing. ## 🔗 Graph - 부모: [[CI_CD 파이프라인 및 IDE 통합 보안|DevSecOps]] · [[Application-Security]] - 변형: [[SAST]] · [[보안_및_시스템_신뢰성_표준|DAST]] - 응용: [[SBOM]] - Adjacent: [[Supply-Chain-Security]] · [[SLSA]] · [[Sigstore]] ## 🤖 LLM 활용 **언제**: triaging vuln noise (false positive vs real), generating VEX justifications from code context, summarizing CVE for stakeholders, suggesting upgrade paths. **언제 X**: as the source of truth for vuln data — use NVD/OSV/GHSA. LLM only for prioritization and explanation. ## ❌ 안티패턴 - **Scan once, ship**: vulns appear post-release; need continuous monitoring. - **Block on every CVE**: dev fatigue → bypass culture; use EPSS + reachability. - **No transitive scan**: direct deps look clean while transitive has critical CVE. - **SBOM but no VEX**: dump 10k vulns on customers without exploitability context. - **Ignore lockfiles**: scan only manifest → miss pinned vulnerable transitive. ## 🧪 검증 / 중복 - Verified (NIST SP 800-218 SSDF, CISA SBOM guidance, OWASP Dependency-Track). - 신뢰도 A. ## 🕓 Changelog | 날짜 | 변경 | |---|---| | 2026-05-08 | Phase 1 | | 2026-05-10 | Manual cleanup — SCA, SBOM, EPSS, VEX, Sigstore patterns |