Scanning Your Code

What does a Black Duck SCA scan do?

Black Duck scans your codebase to:

• Identify open source components and their versions

• Detect known security vulnerabilities using sources like the National Vulnerability Database (NVD) and Black Duck Security Advisories (BDSA)

• Evaluate license risk and compliance

• Generate a BOM for auditing and reporting

• Enforce custom policies based on your organization's risk tolerance

Scans can be triggered during development, in CI/CD pipelines, or manually—depending on how you choose to integrate Black Duck SCA.

Available scanning tools

Black Duck offers a variety of tools to suit different environments and workflows:

• SCM Onboarding UI

  Use the SCM Onboarding UI for a streamlined setup process, currently supporting GitHub.com only. This interface simplifies integration and helps you quickly onboard projects. For detailed instructions, see the GitHub Black Duck Integration documentation.

• Action Integrations

  For other SCM platforms, the action integrations provide flexible options to incorporate Black Duck into your existing workflows. Quickstart guides, such as the GitLab SCA Quickstart Guide, assist in setting up scanning seamlessly.

• Detect CLI

  The Black Duck Detect CLI offers advanced users a powerful and customizable scanning tool for source code, binaries, and containers. It supports integration into CI/CD pipelines with commands available for Windows and Linux environments (Bash/PowerShell guides).

• Detect Desktop

  The Detect Desktop provides a user-friendly desktop application, making it easy to scan projects without command-line interaction.

• Code Sight IDE

  Code Sight integrates directly into your development environment to deliver real-time scanning and vulnerability insights, helping developers identify and address issues as they code.