EN/DE Start free trial
SCA

Software Composition Analysis

Knowing what your software is made of means knowing your attack surface. And only those who know their attack surface can build a meaningful defence. TrustSource delivers the exact component inventory — automated, complete, and auditable.

Stop searching. Start knowing. →
Software Composition Analysis

At a Glance

SBOM Standards

Full support for CycloneDX and SPDX — interoperable with third-party scanners and compatible with all regulatory requirements.

100M+ Component Versions

Our knowledge database covers over 100 million component versions, delivering reliable and up-to-date matches with every scan.

Open-Source Tooling

ts-scan is available as an open-source CLI tool and integrates seamlessly into GitHub Actions, GitLab CI and Jenkins.

All Common Languages

C, C++, C#, Rust, Go, Python, Java, JavaScript, TypeScript and more — ts-scan analyses all major ecosystems.

All Package Managers

Maven, NuGet, Gradle, pip, Swift, Debian, APK, RPM and more — regardless of which stack your team uses.

Containers & Dockerfiles

Dockerfiles and container images are analysed just like source-code dependencies — complete SBOM coverage down to runtime level.

The Challenge

Modern software projects consist of more than 80% third-party components — open-source libraries, frameworks, runtime environments. Each of these components can harbour vulnerabilities, carry problematic licences, or be compromised with malicious code. Without knowing what is inside your software, there is no way to assess the risk — let alone meet regulatory disclosure obligations such as the Cyber Resilience Act.

How SCA works with TrustSource

ts-scan analyses lockfiles, manifests and container images to produce a complete SBOM in CycloneDX or SPDX format — directly in your pipeline's build step. Results are automatically pushed to the TrustSource platform, where they are matched against the knowledge database, checked for vulnerabilities, and retained for audits.

ts-scan is open source and free to use: GitHub repository · Documentation

Supported Ecosystems

ts-scan covers all common languages and package managers — from low-level C/C++ to modern TypeScript stacks, from classic Maven projects to container images.

Related articles

27 Feb 2026

Securing the foundations

SCA in C/C++ world remains a challenge. Learn how bimodal scanning will help you to reduce analysis efforts...

 28 Jan 2026

ts-scan available as github-action

TrustSource added ts-scan github action to github's marketplace. You may add it directly into your repositories workflows. Read more for details!

 25 Jan 2026

Navigating PQC Threat

Understand the threats arising from quantum computing to today's cryptography and learn how to protect your applications.