Software Composition Analysis + SBOM for Git Repositories

This release expands the Software Composition Analysis capabilities of Bytesafe with Source repository scanning.

Source repositories allow users to link their Git repositories to Bytesafe for continuous dependency analysis. Get insight into your dependencies and export SBOMs for individual components or whole repositories.

The Source Repository Scanner detects components in your repositories and uses existing lockfiles and project files to identify both direct and transitive dependencies. Dependencies are processed using Bytesafe’s vulnerability database to identify and notify you of any related issues.

Detected component by Bytesafe source repository scanner

What is Software Composition (SCA)?

Most projects use open source dependencies. Direct dependencies are listed in project files like package.json (npm), pom.xml (Maven) or .csproj (NuGet). But the total number of dependencies are often much larger than those listed in the project files. Dependencies have dependencies of their own - transitive dependencies (indirect dependencies).

Software Composition Analysis (SCA) identifies what open source dependencies are used in a registry, source repository or for a specific component.

Common use cases for Software Composition Analysis includes:

  • Detecting security vulnerabilities
  • Transparency & insight into code dependencies
  • Identifying license compliance issues
  • Produce Software Bill of Materials, SBOM, a standardized and shareable list of components in a piece of software

Continuous Dependency Analysis in Bytesafe

Source repositories are continuously scanned every 24 hours. All identified dependencies are automatically checked when new known vulnerabilities are added to Bytesafe’s Vulnerability DB.

Users can enable rescan automation by enabling the GitHub integration. Whenever project or lockfile changes are detected in a commit, Bytesafe will automatically rescan the project and create a new snapshot. In addition, users can trigger scans manually in Bytesafe.

Rescan automation with GitHub Integration

Source repositories added using the GitHub integration will automatically be rescanned on changes. When a new commit alters the package dependencies in a linked GitHub repository the integration automatically triggers a scan in Bytesafe.

Read more about using the GitHub integration together with Source repositories in our docs.

Download Software Bill of Materials (SBOM)

Software Bill of Materials (SBOM) are standardized and shareable lists of the components in a piece of software.

SBOMs can easily be downloaded in Bytesafe for a specific component or for all the components found in a source repository.

Access and download SBOMs in Bytesafe

Getting started with Source repositories

Adding your first Source repository in Bytesafe is easy and can be done using the GitHub integration or a valid Git URL. For private repositories username and password (or a personal access token) may be required.

1. Select Source repositories in the main menu

2. Add a Git repository

3. Done! The first scan is done automatically!

Bytesafe will detect any valid components immediately. Multiple modules are supported for each repository, so multiple components of different types can be detected.

Add a Git source repository to Bytesafe

Select a component to view dependencies and stay on top of any issues.

Source repositories are scanned continuously or when any changes are detected in project files (when using the GitHub integration). Each scan creates a snapshot that contains the state of the source repository at a specific time and commit.

More SCA in our roadmap

This is only the first iteration of Source repositories in Bytesafe with plenty more on our roadmap, including:

  • Dependency Analysis of Java projects and the Maven ecosystem
  • Dependency Analysis of .NET projects and the NuGet ecosystem
  • SCA scanning of local projects using the Bytesafe CLI

Want to know more? Read more on our Software Composition Analysis product page or see how to work with Source repositories in our docs.