bluemsi/2nd
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
2ca2083eb6eab9684f8692e299dcf62ef723665d
2nd/10_Wiki/Topics/DevOps_and_Security/SCA.md
T
Antigravity Agent 504fd5fb42 [G1-Sync] Manual knowledge update
2026-05-10 22:08:15 +09:00

154 lines
4.4 KiB
Markdown
Raw Blame History

---
id: wiki-2026-0508-sca
title: SCA
category: 10_Wiki/Topics
status: verified
canonical_id: self
aliases: [Software Composition Analysis, dependency scanning, OSS vulnerability scanning]
duplicate_of: none
source_trust_level: A
confidence_score: 0.95
verification_status: applied
tags: [security, sca, dependencies, sbom, supply-chain]
raw_sources: []
last_reinforced: 2026-05-10
github_commit: pending
tech_stack:
language: multi
framework: snyk-dependabot-renovate-osv
---
# SCA
## 매 한 줄
> **"매 your code 의 1% 의 yours — 매 99% 의 dependencies 의"**. SCA (Software Composition Analysis) 의 third-party / OSS dependencies 의 scanning 의 known CVEs, license issues, malicious packages 의 detecting 의. 2026 의 SBOM (CycloneDX/SPDX) 의 mandatory 의 — 매 EU CRA, US EO 14028 의 driving.
## 매 핵심
### 매 SCA 의 stack
- **manifest scan**: package-lock.json, Cargo.lock, go.sum 의 → CVE DB lookup.
- **OSV.dev** (Google): 매 unified vuln DB across ecosystems.
- **GitHub Advisory DB**: 매 npm-aware, 매 Dependabot 의 backbone.
- **Snyk DB**: commercial, 매 deeper exploit metadata.
### 매 SBOM 의 formats
- **CycloneDX** (OWASP): JSON/XML, 매 vuln-friendly.
- **SPDX** (Linux Foundation): license-friendly.
- **2026 default**: CycloneDX 1.5+ JSON.
### 매 응용
1. PR gate — 매 new high CVE 의 introduce 의 block.
2. SBOM 의 release artifact 의 attached 의 (sigstore signed).
3. Renovate/Dependabot 의 weekly bump PRs.
## 💻 패턴
### Dependabot config
```yaml
version: 2
updates:
- package-ecosystem: npm
directory: /
schedule: { interval: weekly }
groups:
minor-and-patch:
update-types: [minor, patch]
open-pull-requests-limit: 10
- package-ecosystem: github-actions
directory: /
schedule: { interval: monthly }
```
### Renovate 의 group + auto-merge
```json5
{
extends: ['config:base', ':semanticCommits'],
packageRules: [
{
matchUpdateTypes: ['patch', 'minor'],
matchCurrentVersion: '!/^0/',
automerge: true,
automergeType: 'pr',
platformAutomerge: true,
},
{ matchPackagePatterns: ['^@types/'], groupName: 'types' },
],
vulnerabilityAlerts: { enabled: true, labels: ['security'] },
}
```
### CycloneDX SBOM 의 generate (npm)
```bash
npx @cyclonedx/cyclonedx-npm --output-format json --output-file sbom.json
cosign sign-blob --yes sbom.json --output-signature sbom.sig
```
### OSV-Scanner (Go)
```yaml
name: OSV
on: [pull_request]
jobs:
scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: google/osv-scanner-action@v1
with:
scan-args: |-
--lockfile=package-lock.json
--lockfile=go.sum
--format=sarif
--output=osv.sarif
- uses: github/codeql-action/upload-sarif@v3
with: { sarif_file: osv.sarif }
```
### License gate
```bash
npx license-checker --production --excludePackages="$(cat allowed.txt)" \
--failOn 'GPL-3.0;AGPL-3.0' --json > licenses.json
```
### Malicious package 의 detect (Socket-style)
```yaml
- name: Socket Security
uses: SocketDev/socket-security-action@v1
with: { api-token: ${{ secrets.SOCKET_TOKEN }} }
```
## 매 결정 기준
| 상황 | Tool |
|---|---|
| GitHub repo, 매 free | Dependabot + OSV-Scanner |
| polyrepo enterprise | Snyk + Renovate |
| supply-chain risk (typosquats) | Socket + Snyk |
| compliance (FedRAMP, EU CRA) | CycloneDX SBOM + cosign sign |
**기본값**: Renovate + OSV-Scanner + CycloneDX SBOM (signed).
## 🔗 Graph
- 부모: [[DevSecOps]] · [[Supply Chain Security]]
- 변형: [[SAST]] · [[DAST]] · [[Container Scanning]]
- 응용: [[SBOM]] · [[Sigstore]] · [[SLSA]]
- Adjacent: [[Dependabot]] · [[Renovate]] · [[Snyk]]
## 🤖 LLM 활용
**언제**: vuln triage (exploitability scoring), changelog summarization for upgrades, breaking-change detection in PRs.
**언제 X**: auto-merging high-CVE patches 없이 의 review.
## ❌ 안티패턴
- **Pin everything forever**: 매 stale deps 의 더 vulnerable.
- **Auto-merge majors**: 매 breaking change 의 prod 의 escape.
- **No SBOM**: 매 incident response 의 grep 의 시작 — 매 too late.
- **Scan only on release**: 매 dev branch 의 weeks of exposure.
## 🧪 검증 / 중복
- Verified (OSV.dev docs, CycloneDX 1.5 spec, GitHub Dependabot 2026, Renovate docs).
- 신뢰도 A.
## 🕓 Changelog
| 날짜 | 변경 |
|---|---|
| 2026-05-08 | Phase 1 |
| 2026-05-10 | Manual cleanup — modern SCA + SBOM patterns |
Reference in New Issue View Git Blame Copy Permalink