--- id: wiki-2026-0508-sca title: SCA category: 10_Wiki/Topics status: verified canonical_id: self aliases: [Software Composition Analysis, dependency scanning, OSS vulnerability scanning] duplicate_of: none source_trust_level: A confidence_score: 0.95 verification_status: applied tags: [security, sca, dependencies, sbom, supply-chain] raw_sources: [] last_reinforced: 2026-05-10 github_commit: pending tech_stack: language: multi framework: snyk-dependabot-renovate-osv --- # SCA ## 매 한 줄 > **"매 your code 의 1% 의 yours — 매 99% 의 dependencies 의"**. SCA (Software Composition Analysis) 의 third-party / OSS dependencies 의 scanning 의 known CVEs, license issues, malicious packages 의 detecting 의. 2026 의 SBOM (CycloneDX/SPDX) 의 mandatory 의 — 매 EU CRA, US EO 14028 의 driving. ## 매 핵심 ### 매 SCA 의 stack - **manifest scan**: package-lock.json, Cargo.lock, go.sum 의 → CVE DB lookup. - **OSV.dev** (Google): 매 unified vuln DB across ecosystems. - **GitHub Advisory DB**: 매 npm-aware, 매 Dependabot 의 backbone. - **Snyk DB**: commercial, 매 deeper exploit metadata. ### 매 SBOM 의 formats - **CycloneDX** (OWASP): JSON/XML, 매 vuln-friendly. - **SPDX** (Linux Foundation): license-friendly. - **2026 default**: CycloneDX 1.5+ JSON. ### 매 응용 1. PR gate — 매 new high CVE 의 introduce 의 block. 2. SBOM 의 release artifact 의 attached 의 (sigstore signed). 3. Renovate/Dependabot 의 weekly bump PRs. ## 💻 패턴 ### Dependabot config ```yaml version: 2 updates: - package-ecosystem: npm directory: / schedule: { interval: weekly } groups: minor-and-patch: update-types: [minor, patch] open-pull-requests-limit: 10 - package-ecosystem: github-actions directory: / schedule: { interval: monthly } ``` ### Renovate 의 group + auto-merge ```json5 { extends: ['config:base', ':semanticCommits'], packageRules: [ { matchUpdateTypes: ['patch', 'minor'], matchCurrentVersion: '!/^0/', automerge: true, automergeType: 'pr', platformAutomerge: true, }, { matchPackagePatterns: ['^@types/'], groupName: 'types' }, ], vulnerabilityAlerts: { enabled: true, labels: ['security'] }, } ``` ### CycloneDX SBOM 의 generate (npm) ```bash npx @cyclonedx/cyclonedx-npm --output-format json --output-file sbom.json cosign sign-blob --yes sbom.json --output-signature sbom.sig ``` ### OSV-Scanner (Go) ```yaml name: OSV on: [pull_request] jobs: scan: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - uses: google/osv-scanner-action@v1 with: scan-args: |- --lockfile=package-lock.json --lockfile=go.sum --format=sarif --output=osv.sarif - uses: github/codeql-action/upload-sarif@v3 with: { sarif_file: osv.sarif } ``` ### License gate ```bash npx license-checker --production --excludePackages="$(cat allowed.txt)" \ --failOn 'GPL-3.0;AGPL-3.0' --json > licenses.json ``` ### Malicious package 의 detect (Socket-style) ```yaml - name: Socket Security uses: SocketDev/socket-security-action@v1 with: { api-token: ${{ secrets.SOCKET_TOKEN }} } ``` ## 매 결정 기준 | 상황 | Tool | |---|---| | GitHub repo, 매 free | Dependabot + OSV-Scanner | | polyrepo enterprise | Snyk + Renovate | | supply-chain risk (typosquats) | Socket + Snyk | | compliance (FedRAMP, EU CRA) | CycloneDX SBOM + cosign sign | **기본값**: Renovate + OSV-Scanner + CycloneDX SBOM (signed). ## 🔗 Graph - 부모: [[DevSecOps]] · [[Supply Chain Security]] - 변형: [[SAST]] · [[DAST]] · [[Container Scanning]] - 응용: [[SBOM]] · [[Sigstore]] · [[SLSA]] - Adjacent: [[Dependabot]] · [[Renovate]] · [[Snyk]] ## 🤖 LLM 활용 **언제**: vuln triage (exploitability scoring), changelog summarization for upgrades, breaking-change detection in PRs. **언제 X**: auto-merging high-CVE patches 없이 의 review. ## ❌ 안티패턴 - **Pin everything forever**: 매 stale deps 의 더 vulnerable. - **Auto-merge majors**: 매 breaking change 의 prod 의 escape. - **No SBOM**: 매 incident response 의 grep 의 시작 — 매 too late. - **Scan only on release**: 매 dev branch 의 weeks of exposure. ## 🧪 검증 / 중복 - Verified (OSV.dev docs, CycloneDX 1.5 spec, GitHub Dependabot 2026, Renovate docs). - 신뢰도 A. ## 🕓 Changelog | 날짜 | 변경 | |---|---| | 2026-05-08 | Phase 1 | | 2026-05-10 | Manual cleanup — modern SCA + SBOM patterns |