Software Composition Analysis

Scan & identify software assets in your supply chain

Software composition analysis (SCA) identifies what open source dependencies are used in a registry, source repository or for a specific component.

Common use cases for Software Composition Analysis include detecting security vulnerabilities, license compliance issues and to produce Software Bill of Materials, SBOM, a standardized and shareable list of components in a piece of software.

SCA components of Bytesafe:

  • Source repositories - Git repositories linked to Bytesafe or imported from an SBOM. The Source Repository Scanner detects components in repositories and uses project files to identify both direct and transitive dependencies (software assets).
  • Issues - Track security and license compliance for linked source repositories and for any package version held in an active Npm, Maven or NuGet registry. Search for specific packages, vulnerabilities, CVEs and review activity logs.
  • SBOM - Export standardized lists of the components and dependencies in linked source repositories.

Supported Ecosystems

Bytesafe supports a growing number of ecosystems and package managers. Use the table below to set up your repository for the most accurate results.

Note The table below is not applicable when importing an SBOM to Bytesafe.
Ecosystem Package Manager Level (?) Files Comment
Javascript npm DIRECT package.json
Javascript npm EXACT package-lock.json both v1 and v2 lock-files are supported
Javascript yarn EXACT yarn.lock
Javascript pnpm EXACT pnpm-lock.lock
.Net nuget DIRECT *.csproj *.vbproj *.fsproj projects using <PackageReference/> specifiers
.Net nuget EXACT packages.lock.json see <RestorePackagesWithLockFile>
.Net nuget DIRECT packages.config projects using legacy file to specify dependencies
Java gradle EXACT build.gradle (or build.gradle.kt) gradle.lockfile
Java maven NONE pom.xml currently unsupported
Python pip EXACT requirements.txt virtualenv based projects (i.e. pip freeze > requirements.txt)
Python poetry EXACT pyproject.toml poetry.lock
Python pipenv EXACT Pipfile.lock
Go go EXACT go.mod go.sum

Analysis levels

Bytesafe provides different levels of accuracy depending on the ecosystem and available files in the repository. For the most accurate results, generate the appropriate lock-files and commit them to the repository.

Level Description
EXACT Most accurate analysis which includes both direct and transient dependencies with exact versions.
BEST EFFORT Dependencies are resolved natively by Bytesafe. In some cases this can deviate in what version is resolved compared to what the ecosystem build tools would. Only direct dependencies are identified.
DIRECT Only direct dependencies are identified.
NONE No dependencies are identified. Add the appropriate project-, and lock-file to the repository for analysis.

Source repositories

Bytesafe allows users to add Git repositories as well as SBOMs for continuous dependency and weakness analysis.

Most projects use open source dependencies. The direct dependencies are listed in project files like package.json (npm), pom.xml (Maven) or .csproj (NuGet). Direct dependencies often have dependencies of their own - transitive dependencies, which makes the total number of dependencies much larger.

The Source Repository Scanner detects components in your repositories and uses existing lock files and project files to identify both direct and transitive dependencies.

Add a source repository (Git)

New source repositories can be added using either the URL of a Git repository or selected directly from a list of linked GitHub repositories when using the GitHub integration.

Add a Git source repository

If the Git repository you are adding is private, provide credentials in the form.

Git branch information is optional. If none is provided the default branch will be selected.

Private GitHub repositories (without the GitHub integration) require a personal access token as the password. No username is required.

Import SBOM

New source repositories can be added using a CycloneDX formatted JSON SBOM by clicking on the Import SBOM in the web interface: Import an SBOM file

To use in existing CI/CD workflows, an SBOM can also be imported using the following API call:

$ cat sbom.json | curl -d@- \

-H 'Content-Type: application/json' \

-H 'Authorization: Bearer <TOKEN>' https://<WORKSPACE>

The /import/sbom API endpoint takes the following parameters

Parameter Description
name Overides the detected name in to SBOM

After adding a source repository, users are presented with a list of detected components. Select a component or view issues, the log and history in the available tabs on the page.

Tab Description
Components List of components found by the scanner. Based on identified project files, e.g. package.json for an npm project.
Issues Lists issues filtered for the source repository (all components)
Log Log for the latest snapshot created.
History List the snapshot history for the source repository together with the Git commit for that snapshot. Select a snapshot from history to see details.
Settings Settings for the source repository. Edit the repository URL or delete the source repository from Bytesafe.

Select Git branch

If no other information is provided Bytesafe selects the default Git branch when adding a Git repository.

To select another branch, enter the branch name either when adding a new Source repository or edit the settings of a current one on the Settings tab.

Select Git branch for a source repository

Scan frequency

Source repositories are scanned every 24 hours, starting from the point in time when a source repository was added. In addition, repositories are scanned vulnerabilities are added or updated in our database.

Additionally, users can enable rescan automation by adding the GitHub integration. Whenever project or lockfile changes are detected in a commit, Bytesafe will automatically scan the repository and create a new snapshot.

Trigger scan manually

In addition to scheduled and automated scans on changes, users can trigger scans manually in Bytesafe.

On any source repository page, click the Rescan button to create a new snapshot.

Trigger source repository scan manually in Bytesafe

Detected components

The source repository scanner will detect components in folders up to three levels deep from the root of the project.

Multilanguage monorepos are supported, so multiple components of different types can be detected in the same repository.

components identified by the source repository scanner in Bytesafe

Components and their types are identified based on identified project files, e.g. package.json for a npm project.

Select a component to view the detected dependencies, download SBOMs, review issues, read the log and see previous snapshot history.


Issues are automatically created when vulnerabilities are found for dependencies identified by the source repository scanner.

Issues can be searched and filtered on status, type and severity. For general information see Issues.

issues for a source repository component

Users will automatically be notified of any found issues.


The source repository scanner analyzes lock files and project files to identify the exact dependencies and versions used for a component at a specific time.

Dependencies found will be displayed in the Dependencies list.

The list includes the package name and version, but also information on the type (direct or transitive dependency) as well as the scope (production, development, or test).

Identified dependencies for a source repository component


The snapshot creation log details information relating to the creation of a snapshot. This includes information on the number of dependencies, issues and source files.

The log can also be used to troubleshoot failed or missing snapshots, missing components etc.

Log for a source repository component snapshot


Source repositories are periodically scanned according to the scan frequency. Each scan creates a snapshot that contains the state of the source repository at a specific time and commit. The history tab allows users to view their history of snapshots and easily switch between them.

Snapshot history for a source repository component

Integration with GitHub

With an active GitHub integration source repository analysis in Bytesafe can be added for any linked GitHub repository.

Select the GitHub tab when adding a new source repository, open the drop down list and select a repository.

add source repository using GitHub integration in Bytesafe

Rescan automation when detecting changes

A main benefit of the GitHub integration is that source repositories and components will automatically be rescanned when changes are detected in project files in the repository.

When a new commit alters the package dependencies in the GitHub repository, the integration automatically notifies Bytesafe.

Software Bill of Materials (SBOM)

Software Bill of Materials (SBOM) are standardized and shareable lists of the components in a piece of software.

SBOMs in Bytesafe are JSON files in a CycloneDX format.

# Example: SBOM JSON file for the Bytesafe source repo demo component


"bomFormat": "CycloneDX",

"specVersion": "1.4",

"serialNumber": "urn:uuid:ceafb7f8-996e-11ec-96f6-0213bb11c0fe",

"version": 1,

"metadata": {

"timestamp": "2022-02-28T20:14:17Z",

"tools": [


"vendor": "Bytesafe",

"name": "Bytesafe SBOM generator",

"version": "1.0.0"



"component": {

"bom-ref": "pkg:npm/bitfront-se/bytesafe-source-repo-demo@1.2.3?repository_url=https:/",

"type": "library",

"name": "bytesafe-source-repo-demo",

"version": "1.2.3",

"purl": "pkg:npm/bitfront-se/bytesafe-source-repo-demo@1.2.3?repository_url=https:/"



"components": [


"bom-ref": "pkg:npm/%40babel/runtime@7.17.2",

"type": "library",

"group": "@babel",

"name": "runtime",

"version": "7.17.2",


SBOMs can be downloaded either for a specific component or for all the components found in a source repository.

To export an SBOM, click the Download SBOM button on the applicable page.

download sbom json file for a component from Bytesafe

For more information on the CycloneDX format, visit

Integration with Trivy and Github Actions

Using Trivy and Github Actions to keep track of your application’s dependencies and potential vulnerabilities is easy and quick to set up. By using the two extra steps in your build pipeline you get notified when new vulnerabilities are discovered and issues are automatically closed when fixed, without need to track and update issues manually.

- name: Run Trivy vulnerability scanner in fs mode

uses: aquasecurity/trivy-action@0.11.0


scan-type: 'fs'

scan-ref: '.'

format: 'cyclonedx'

exit-code: '1'

output: trivy-sbom.json

Once the CycloneDX formatted SBOM is created above, next step sends it to your Bytesafe workspace.

- name: Upload SBOM to Bytesafe



BYTESAFE_ENDPOINT: https://<workspace>

run: |

curl --fail -d@trivy-sbom.json -H 'Content-Type: application/json' \

-H "Authorization: Bearer $BYTESAFE_TOKEN" \


Note We use the parameter name in the API call above to override the name in the SBOM (which in the above case would just have been .)