Software Composition Analysis (SCA) scans the project’s dependency tree against known vulnerability databases (CVE, OSV). Container image scanning examines base images, installed packages, and system libraries for known vulnerabilities. Together, these tools protect against supply chain attacks and ensure that the deployed system does not contain known-vulnerable components.

SCA tools (Snyk, Dependabot, pip-audit) run on every code commit via the CI pipeline. Container image scanning tools (Trivy, Grype, Snyk Container) run on every container build. Both layers also run periodically against deployed systems (daily or weekly) to catch vulnerabilities disclosed after deployment. The four-layer scanning architecture covers application dependencies, container images, infrastructure configurations, and operating system packages.

Findings are prioritised by severity and tracked in the vulnerability management register. Critical and high-severity findings block merges (for CI scans) or trigger expedited remediation (for production scans). The scanning configuration, results, and remediation records are retained as Module 9 evidence.

Key outputs

• SCA scanning on every commit; container scanning on every build
• Periodic scanning of deployed systems
• Four-layer scanning architecture
• Module 9 AISDP evidence