Code & Dependencies

Overview

This area covers your application’s own code and the open-source it depends on: static code analysis, data-flow analysis, dependency (software-composition) scanning, a generated SBOM, and license checks.

Key benefits

Benefit	Capability	Business value
Find code flaws	Code security + code-flow analysis	Catch vulnerabilities before they ship
Know your supply chain	Dependency (SCA) scanning + SBOM	See every component and its known risks
Stay compliant	License scanning	Avoid license violations in dependencies

How it works

Code security & code-flow analysis

The Code Security scanner inspects source for vulnerable patterns, and Code Flow Analysis traces how data moves through the code (a code-property-graph approach) to find issues that only appear along a path — surfacing exploitable flaws rather than surface-level matches.

Dependency scanning (SCA) & SBOM

Dependency Analysis identifies your open-source components and their known vulnerabilities. The SBOM Generator produces a Software Bill of Materials, and an enrichment step adds vulnerability and license context to each component.

License scanning

The License Scanner flags dependency licenses that conflict with your policy, so legal/compliance risk is caught alongside security risk.

Implementation / workflow

Point the scanners at your repository or build (directly or via CI — see IaC Security for VCS/CI hooks).
Review code findings and dependency vulnerabilities.
Generate and store an SBOM for the build.
Triage results in ASPM alongside cloud findings.

Best practices

Generate an SBOM per release so you can answer “are we affected?” instantly when a new CVE lands.
Prioritize dependency vulnerabilities that are actually reachable in your code.