Black Duck® software composition analysis (SCA) offers multiple open source scanning technologies so you get the most complete and accurate view of open source in your applications and containers. Our open source scanning combines build process monitoring, file system scanning, and source code analysis to track all open source in use, including components most SCA tools miss.

Dependency Analysis

Integrates with build tools like Maven and Gradle to track both declared and transitive open source dependencies in applications built in languages like Java and C#.

Codeprint Analysis

Maps string, file, and directory information to the Black Duck® KnowledgeBase™ to identify open source and third-party components in applications built using languages like C & C++.

Binary Analysis

Identifies open source within compiled application libraries and executables. No source code or build system access required.

Snippet Analysis

Finds parts of open source code that have been copied within proprietary code by developers or generative AI coding tools, which can potentially expose you to license violations and conflicts.

Container Scanning

Uses a combination of binary and CodePrint analysis to identify open source dependencies in container images, layer by layer.

Why package declarations aren’t enough

Most other solutions rely solely on package manager declarations to identify open source components. But these solutions miss a lot of open source that may be in your code, including:

  • Open source that developers add to your code but don’t declare in package manifests
  • Open source in languages like C and C++ that don’t use standard package managers
  • Open source built into containers
  • Open source within compiled binaries and build artifacts
  • Open source introduced by AI coding assistants

Simple integration into your CI/CD pipeline

Our SCA integrations make it easy to incorporate open source scanning into your existing development tools and processes. This makes it possible to automatically identify which languages and package managers you’re using, configure the appropriate integrations for discovery, and find the most effective way to analyze your code.

Learn more about our integrations

Black Duck SCA technology

Comprehensive KnowledgeBase

Learn more

Enhanced vulnerability data

Learn more

End-to-end DevOps integrations

Learn more

Related content

Video

See how Black Duck SCA works

Watch the video
Datasheet

Black Duck software composition analysis

Secure open source with compliance and quality control
Learn more
Report

Forrester Wave: Software Composition Analysis

See why Black Duck is a Leader in software composition analysis
Learn more
White Paper

Managing Transitive Dependencies in Open Source Software

5 risks of transitive dependencies & 9 ways to avoid them
Learn more
eBook

Five Considerations for Securing Your Software Supply Chain

Learn how to spot and fix weak links in your software supply chain
Learn more
Report

Gartner Magic Quadrant

See why Black Duck is a Leader in application security testing
Learn more