Scanning your code

Scanning is the core way Black Duck identifies open source components, licenses, and known vulnerabilities in your codebase. When you run a scan, Black Duck analyzes your project files and generates a comprehensive Bill of Materials (BOM), helping you stay compliant, secure, and informed.

What does a Black Duck scan do?

Black Duck scans your codebase to:

Identify open source components and their versions
Detect known security vulnerabilities using sources like the National Vulnerability Database (NVD) and Black Duck Security Advisories (BDSA)
Evaluate license risk and compliance
Generate a BOM for auditing and reporting
Enforce custom policies based on your organization's risk tolerance

Scans can be triggered during development, in CI/CD pipelines, or manually—depending on how you choose to integrate Black Duck.

Available scanning tools

Black Duck offers a variety of tools to suit different environments and workflows:

Black Duck Detect (CLI): A flexible command-line tool that supports scanning source code, binaries, and containers. Can be integrated into local development or CI/CD pipelines. Black Duck Detect is the recommended scanning tool for Black Duck.
Signature Scanner (CLI): A dedicated command-line tool for running signature-based scans. Best suited for environments where Detect is not ideal or where direct control over scan configuration is required.
Black Duck plugin integrations: Prebuilt integrations for popular tools like:
- Jenkins
- Azure DevOps
- GitHub Actions
- Bitbucket Pipelines
SCA Scan Service (SCASS): A scalable cloud-based scanning service for source, binary, and container analysis. Available for customers with the appropriate license.
REST API: Advanced users can use the Black Duck API to automate scan uploads, retrieve results, and manage project data.

Note: Some features may require a specific license or configuration. Contact your administrator if you are unsure which scanning tools are available in your environment.