Skip to main content
ZeroPath’s Software Composition Analysis (SCA) maps every dependency your code pulls in — direct and transitive — matches it against known vulnerabilities and license data, and assesses whether the vulnerable code is actually reachable in your application — invoked, not just imported. Reachability and exploitability are AI-assisted signals that help you triage the findings most likely to matter first. Dependency findings, license exposure, an AI component inventory, and scan-coverage health all live together on the Supply Chain page. This overview explains the moving parts at a high level and points you to a dedicated page for each capability.

What ZeroPath SCA gives you

Supported ecosystems & coverage

Dependency resolution across 13 ecosystems, and exactly what each one needs for full transitive coverage.

Reachability & exploit signals

Whether the vulnerable code path is really invoked, plus CISA KEV and FIRST EPSS exploit intelligence for prioritization.

Coverage & warnings

How completely your supply chain was scanned, and how to clear remaining gaps.

License compliance

Per-package SPDX licenses, enriched and grouped into informational obligation categories, so legal and compliance reviews start from the same data the scanners used.

AI Inventory (AI-BOM)

A bill of materials for the AI in your codebase: SDKs, agent frameworks, MCP servers, model files, and agent configs.

Auto-remediation & alerts

Automatic upgrade PRs with safe-version selection, plus proactive CVE alerts for packages you already depend on.

Blast radius

Which call sites in your code an upgrade actually touches, classified by risk, attached to each patch.

SBOM exports

CycloneDX, SPDX, and VEX artifacts generated from the same inventory the UI shows.

How dependency data gets in

ZeroPath builds its inventory from your scans. There are three ways a dependency ends up analyzed:
SCA is enabled in scanner settings by default, so every full scan also parses manifests and lockfiles. Dependency findings appear on both the Issues page and the Supply Chain page, alongside your SAST and other results.
The Supply Chain page can show more dependency findings than the Issues page. That is expected: scheduled SCA scans run on their own cadence and may surface issues a full scan hasn’t picked up yet. For the most complete view of your dependency posture, use the Supply Chain page.

The Supply Chain page

The Supply Chain page is the dedicated SCA dashboard. It is organized around four questions, and the deep-dive pages above map onto them:
  • Where do I stand? — a posture summary: scan coverage, exploitability, and what to fix first.
  • What should I fix? — dependency findings, viewable as individual occurrences or grouped per CVE across every affected repository. Filter by severity, ecosystem, and reachability. When a Wiz integration is connected, you can also filter by cloud exposure to prioritize packages in internet-facing applications. Filter state is reflected in the URL, so any view can be bookmarked or shared.
  • What’s in my supply chain? — the inventory: dependencies, licenses, and AI components.
  • How complete was the scan?coverage: which manifests resolved, which didn’t, and the warnings that explain any gaps.
Each finding is enriched with real-world exploit intelligence: CISA KEV (known-exploited) and FIRST EPSS (exploit probability), so you can prioritize what is actively being exploited. Findings link to their upstream advisory and show the associated CVE. When a dependency finding is linked to a SAST finding, that finding’s score sets its severity, so the Issues and Supply Chain pages stay consistent.
The Supply Chain dashboard is in Early Access and its layout is still evolving; this guide refers to capabilities rather than specific tab names.

End to end, per scan

1

Checkout

ZeroPath clones the repo and pins the commit so results are consistent across scans.
2

Application discovery

An AI-assisted analyzer maps your services and modules (e.g. /apps/payments) so each dependency is attributed to the application that uses it.
3

Dependency resolution

Manifests and lockfiles are parsed into a graph of direct and transitive packages, with versions, dependency paths, and license signals. See Supported ecosystems for what each ecosystem needs.
4

License enrichment

Manifest-declared licenses are enriched and recorded as a normalized SPDX license string per package. See License compliance.
5

Reachability analysis

For each vulnerable package, ZeroPath assesses whether the vulnerable code path is actually reachable. See Reachability.
6

Inventory, findings & exports

The normalized inventory, application map, and validated findings are stored once, so the UI, APIs, SBOM exports, and alerts all draw from a single source of truth.

Getting started

1

Keep SCA enabled

Scanner settings include SCA by default — leave it on so every full scan collects dependency findings.
2

Add a recurring SCA scan

Schedule a dependency-only scan (daily/weekly) so your inventory stays current between full scans, and point it at the branches you actually deploy.
3

Close coverage gaps

Check the coverage view and commit any missing lockfiles so transitive dependencies are fully resolved.
4

Turn on remediation where it fits

Enable auto-remediation and CVE alerting with thresholds aligned to your risk tolerance.
5

Wire up SBOMs

Once inventories exist, generate CycloneDX/SPDX/VEX exports for procurement, compliance, or downstream tooling.