NEWSkillSec — elevating AI Skills security from malware detection to capability auditingSkillSecLearn more →
Home/Products/CleanSource SCA
CleanSource · SCA

CleanSource SCA

Software composition analysis & open-source compliance

See every open-source component — keep open source safe and compliant

A patented snippet-level engine builds complete, traceable SBOMs, maps multi-source vulnerability data, and governs license risk.

Patented engine
SBOM · dependencies
spring-core5.3.31 ✓
log4j-core2.14.1 · CVE-2021-44228
jackson-databind2.9.10 · review
commons-text1.10.0 ✓
LicenseGPL-3.0 conflict ×1
3T+
Code fingerprints
320M+
Components
270K+
Vuln intel
600+
Ecosystems
Components · dependencies · vulns — cross-mappedCLEANSOURCE SCA
Capabilities

A complete, accurate, traceable view of open-source risk

From component identification to compliance governance — across the full lifecycle of introduce, detect, fix, and manage.

01

Patented probing engine

A proprietary multi-dimensional probing technique analyzes programs quickly and accurately, with per-file scanning at microsecond scale.

02

Snippet-level identification

Identifies open-source composition down to the code-snippet level, covering the full relationship of direct and transitive dependencies.

03

SBOM generation

Outputs complete SBOMs in standard SPDX or CycloneDX, meeting NTIA minimum elements and boosting supply-chain transparency.

04

Multi-source vuln mapping

Maps against CVE, CNVD, CNNVD, EUVD, and CSSA, with customizable policy priority and granularity to fix the most critical issues first.

05

License compliance

Pinpoints license conflicts and pairs SBOM data as structured evidence for compliance and legal defense, mitigating IP risk.

06

Container image scanning

Extends beyond source into the container image layer, securing open-source components inside images.

Precise · snippet-level

Snippet-level fingerprint matching

Precise matching against a massive component corpus identifies copied, trimmed, or renamed open-source snippets — and surfaces license tampering.

Snippet fingerprints

Fingerprints functions/snippets — no reliance on declared package names.

Exact match

Pinpoints the specific component and version.

Tampering visible

Flags components with altered license or code.

code snippetfingerprintfingerprint DB · matchopenssl 1.1.1exact matchzlib 1.2.11lib-x 2.0license tampered!
SBOMSPDX · CycloneDXopenssl1.1.1zlib1.2.11log4j-core2.14CVElibpng1.6.37curl7.79
Transparent · inventory

Automated SBOM generation

Scanning produces a standardized software bill of materials (SPDX / CycloneDX), annotating each component with version, license, and known vulnerabilities.

Standard formats

One-click export to SPDX / CycloneDX.

Fully traceable

Components, versions, licenses, and dependencies — complete.

Vuln-linked

CVE / CNVD mapped right onto the inventory.

Vuln Intelligence / CSSA

CSSA exclusive intelligence — weeks ahead of public CVEs

CleanSource SCA's multi-source vulnerability mapping is powered by CSSA (CleanSource Security Advisory) — proactively sensing risk from upstream commits, maintainer discussions, security mailing lists, and package-registry behavior, so you assess exposure before a vulnerability becomes a public event.

Pre-CVE vulnerability sensing

Captures risk from upstream commits, maintainer discussions, and security mailing lists weeks ahead of public CVE / CNVD disclosure.

Poisoning intelligence

Flags supply-chain poisoning — malicious package injection, typosquatting, and maintainer account takeover — the moment it surfaces.

AI supply-chain targeting

Extends vulnerability and poisoning intel into the MCP Server and AI Skills ecosystems, carrying coverage into the Agent era.

CSSA · disclosure timeline
D+0 CSSA exclusive disclosureupstream commits · maintainer chatter · poisoning patterns
D+3 poisoning intel capturedmalicious injection · typosquatting · account takeover
D+30+ CVE / NVD publicwhen everyone else finds out
Integrations

Plugs into SDLC and CI/CD toolchains

JenkinsGitLab CIGitHub ActionsPackage managersContainer platformsAPI / SDKIDE plugins
Community

Want a lightweight start? Try the Community Edition

Built for OSPOs, individual developers, and small teams, CleanSource SCA CE opens its CLI and partial module source — ready on sign-up.

cleansource-ce · CLI
$ cleansource scan ./my-project
› Resolving deps .... 142 components
› Generating SBOM ... spdx · cyclonedx
› Vulns ............ 3 high · 7 medium
› Licenses ......... 1 conflict
✓ Report generated · report.html
More / Products

Explore the full product suite

Get Started

Keep open source
safe and compliant

Book a demo and see how CleanSource SCA gives your supply chain a complete composition and compliance view.