> ## Documentation Index
> Fetch the complete documentation index at: https://zeropath.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# SCA Overview

> How ZeroPath discovers, prioritizes, and remediates risk in your software supply chain

ZeroPath's Software Composition Analysis (SCA) maps every dependency your code
pulls in — direct and transitive — matches it against known vulnerabilities and
license data, and assesses whether the vulnerable code is actually reachable in
your application — invoked, not just imported. Reachability and exploitability are
AI-assisted signals that help you triage the findings most likely to matter first.
Dependency findings, license exposure, an AI component inventory, and
scan-coverage health all live together on the **Supply Chain** page.

This overview explains the moving parts at a high level and points you to a
dedicated page for each capability.

## What ZeroPath SCA gives you

<Columns cols={2}>
  <Card title="Supported ecosystems & coverage" icon="boxes-stacked" href="/sca/ecosystems">
    Dependency resolution across 13 ecosystems, and exactly what each one needs
    for full transitive coverage.
  </Card>

  <Card title="Reachability & exploit signals" icon="route" href="/sca/reachability">
    Whether the vulnerable code path is really invoked, plus CISA KEV and FIRST
    EPSS exploit intelligence for prioritization.
  </Card>

  <Card title="Coverage & warnings" icon="gauge-high" href="/sca/coverage">
    How completely your supply chain was scanned, and how to clear remaining gaps.
  </Card>

  <Card title="License compliance" icon="scale-balanced" href="/sca/licenses">
    Per-package SPDX licenses, enriched and grouped into informational obligation
    categories, so legal and compliance reviews start from the same data the
    scanners used.
  </Card>

  <Card title="AI Inventory (AI-BOM)" icon="robot" href="/sca/ai-inventory">
    A bill of materials for the AI in your codebase: SDKs, agent frameworks,
    MCP servers, model files, and agent configs.
  </Card>

  <Card title="Auto-remediation & alerts" icon="code-pull-request" href="/sca/remediation">
    Automatic upgrade PRs with safe-version selection, plus proactive CVE alerts
    for packages you already depend on.
  </Card>

  <Card title="Blast radius" icon="explosion" href="/sca/blast-radius">
    Which call sites in your code an upgrade actually touches, classified by
    risk, attached to each patch.
  </Card>

  <Card title="SBOM exports" icon="file-export" href="/sca/sbom-exports">
    CycloneDX, SPDX, and VEX artifacts generated from the same inventory the UI
    shows.
  </Card>
</Columns>

## How dependency data gets in

ZeroPath builds its inventory from your scans. There are three ways a dependency
ends up analyzed:

<Tabs>
  <Tab title="Full scan with SCA">
    SCA is enabled in scanner settings by default, so every full scan also parses
    manifests and lockfiles. Dependency findings appear on both the **Issues**
    page and the **Supply Chain** page, alongside your SAST and other results.
  </Tab>

  <Tab title="Scheduled SCA scan">
    Configure a dependency-only scan on any cron cadence, independent of full
    scans, to keep your inventory fresh between code pushes. Scheduled scans are
    incremental: when your code has not changed since the last run, ZeroPath
    reuses prior resolution and focuses on what is new. A newly published advisory
    can still surface a finding on unchanged code. Results appear on the
    **Supply Chain** page.
  </Tab>

  <Tab title="Pull request scan">
    PR scans analyze the dependencies touched by a diff, so a risky new package
    or version bump is caught at review time.
  </Tab>
</Tabs>

<Info>
  The Supply Chain page can show **more** dependency findings than the Issues page.
  That is expected: scheduled SCA scans run on their own cadence and may surface
  issues a full scan hasn't picked up yet. For the most complete view of your
  dependency posture, use the Supply Chain page.
</Info>

## The Supply Chain page

The Supply Chain page is the dedicated SCA dashboard. It is organized around four
questions, and the deep-dive pages above map onto them:

* **Where do I stand?** — a posture summary: scan coverage, exploitability, and
  what to fix first.
* **What should I fix?** — dependency findings, viewable as individual
  occurrences or grouped per CVE across every affected repository. Filter by
  severity, ecosystem, and [reachability](/sca/reachability). When a Wiz
  integration is connected, you can also filter by cloud exposure to prioritize
  packages in internet-facing applications. Filter state is reflected in the URL,
  so any view can be bookmarked or shared.
* **What's in my supply chain?** — the inventory: [dependencies](/sca/ecosystems),
  [licenses](/sca/licenses), and [AI components](/sca/ai-inventory).
* **How complete was the scan?** — [coverage](/sca/coverage): which manifests
  resolved, which didn't, and the warnings that explain any gaps.

Each finding is enriched with real-world [exploit intelligence](/sca/reachability):
CISA KEV (known-exploited) and FIRST EPSS (exploit probability), so you can
prioritize what is actively being exploited. Findings link to their upstream
advisory and show the associated CVE. When a dependency finding is linked to a
SAST finding, that finding's score sets its severity, so the Issues and Supply
Chain pages stay consistent.

<Note>
  The Supply Chain dashboard is in **Early Access** and its layout is still
  evolving; this guide refers to capabilities rather than specific tab names.
</Note>

## End to end, per scan

<Steps>
  <Step title="Checkout">
    ZeroPath clones the repo and pins the commit so results are consistent across
    scans.
  </Step>

  <Step title="Application discovery">
    An AI-assisted analyzer maps your services and modules (e.g. `/apps/payments`)
    so each dependency is attributed to the application that uses it.
  </Step>

  <Step title="Dependency resolution">
    Manifests and lockfiles are parsed into a graph of direct and transitive
    packages, with versions, dependency paths, and license signals. See
    [Supported ecosystems](/sca/ecosystems) for what each ecosystem needs.
  </Step>

  <Step title="License enrichment">
    Manifest-declared licenses are enriched and recorded as a normalized SPDX
    license string per package. See [License compliance](/sca/licenses).
  </Step>

  <Step title="Reachability analysis">
    For each vulnerable package, ZeroPath assesses whether the vulnerable code
    path is actually reachable. See [Reachability](/sca/reachability).
  </Step>

  <Step title="Inventory, findings & exports">
    The normalized inventory, application map, and validated findings are stored
    once, so the UI, APIs, [SBOM exports](/sca/sbom-exports), and alerts all draw
    from a single source of truth.
  </Step>
</Steps>

## Getting started

<Steps>
  <Step title="Keep SCA enabled">
    Scanner settings include SCA by default — leave it on so every full scan
    collects dependency findings.
  </Step>

  <Step title="Add a recurring SCA scan">
    Schedule a dependency-only scan (daily/weekly) so your inventory stays current
    between full scans, and point it at the branches you actually deploy.
  </Step>

  <Step title="Close coverage gaps">
    Check the [coverage](/sca/coverage) view and commit any missing lockfiles so
    transitive dependencies are fully resolved.
  </Step>

  <Step title="Turn on remediation where it fits">
    Enable [auto-remediation and CVE alerting](/sca/remediation) with thresholds
    aligned to your risk tolerance.
  </Step>

  <Step title="Wire up SBOMs">
    Once inventories exist, generate [CycloneDX/SPDX/VEX exports](/sca/sbom-exports)
    for procurement, compliance, or downstream tooling.
  </Step>
</Steps>
