Know what you ship.
SBOMs, dependency and license risk, CVE watchlists, exploit feeds, blast-radius, and signed build provenance — for everything you ship.
What Sandworm SCA does.
SBOM & dependency graph
Generates a software bill of materials for every artifact and maps the full transitive dependency graph — so you know exactly what is in every release.
License policy & matrix
Enforces the license rules your legal team set, flags policy violations on every build, and maintains a cross-project license matrix for audit.
CVE watchlist
Tracks CVEs against your exact dependency versions and alerts the moment a new vulnerability affects something you ship.
Exploit feed
Enriches CVE data with active exploit availability — so your triage prioritizes the CVEs that attackers are already using, not just the ones with high CVSS scores.
CVE blast-radius across your projects
A single query shows which of your projects are affected by a given CVE, how many users are exposed, and which teams need to act first.
Build provenance & pipeline health
Signs build attestations so you can prove what was built, when, from what source, and by which pipeline — and surfaces pipeline health regressions before they become incidents.
How Sandworm SCA works
- 1
Connect your repositories and registries
Point Sandworm SCA at your source repositories (GitHub, GitLab) and package registries (npm, PyPI, Maven). It indexes every declared and transitive dependency without requiring changes to your build scripts.
- 2
Generate and store SBOMs per build
Each CI pipeline run produces a signed SBOM in SPDX or CycloneDX format. Sandworm SCA stores it alongside your artifact so the bill of materials is always linked to the exact build it describes.
- 3
Continuous CVE and license monitoring
Sandworm SCA watches NVD, OSV, and curated exploit feeds against your indexed dependency versions. When a new CVE lands or an exploit goes public, it calculates blast-radius across all your projects and opens a triage item.
- 4
Triage, remediate, and attest
Engineers see affected projects ranked by exposure. Once a fix is merged and the pipeline re-runs, Sandworm SCA verifies the updated SBOM and closes the finding — giving you a signed, auditable remediation trail.
Built for these teams
Engineering teams shipping frequently
Every dependency is a potential liability. Sandworm SCA keeps the full inventory current as your codebase evolves, without requiring manual inventory work after each release.
CVE response under time pressure
When a critical CVE drops, Sandworm SCA blast-radius tells you in seconds which services are affected and who owns them — so response is measured in minutes, not days.
License compliance at audit time
Arrive at your audit with a signed, up-to-date license matrix instead of a scramble to inventory dependencies across dozens of repositories.
Security teams enforcing SSDF or EO 14028
Federal and regulated-industry requirements increasingly mandate SBOM delivery with software. Sandworm SCA generates, signs, and retains SBOMs in formats your customers and regulators can consume.
Integrations
- GitHub/GitLab
- npm/PyPI/Maven
- CI pipelines
- SBOM (SPDX/CycloneDX)
Frequently asked questions
- How does Sandworm SCA connect to my repositories and build systems?
Sandworm SCA runs as a containerized service in the Sandworm platform and talks to your repositories and registries over standard Git and package-registry APIs. There is nothing to install on developer machines or build servers — it reads dependency manifests and build metadata from the API side.
- Does Sandworm SCA read or store my source code?
No. Sandworm SCA reads dependency manifest files — package.json, requirements.txt, pom.xml, lock files, and so on — and build metadata such as pipeline run IDs and artifact hashes. Source code is never transmitted. SBOM artifacts and findings are stored inside your own deployment.
- What does Sandworm SCA cost?
Sandworm SCA is available in the Sandworm platform bundles and as a standalone add-on. Current pricing is at /pricing — there is no per-CVE alert charge or per-scan fee. A single subscription covers all projects Sandworm SCA indexes.
- How is Sandworm SCA different from a per-repo SCA scanner?
Per-repo scanners show you findings in isolation. When a critical CVE lands, you have to check every repository manually to know your exposure. Sandworm SCA's blast-radius engine answers that question in a single query across your entire fleet — all affected projects, ranked by exposure, with the owning team identified. Findings feed directly into the Sandworm investigation workflow rather than a report silo.
- Which SBOM formats does Sandworm SCA output?
Sandworm SCA generates SBOMs in SPDX 2.3 and CycloneDX 1.5. Both formats are signed with build-provenance attestations that follow the in-toto/SLSA attestation framework, so customers or regulators can verify the chain of custody from source to artifact.
- What is next on the Sandworm SCA roadmap?
Upcoming work includes VEX (Vulnerability Exploitability eXchange) statement generation so teams can formally document which CVEs they have assessed and why, automated pull-request suggestions that open a fix branch when a patch is available, and deeper pipeline health monitoring. Mendicant AI integration — currently in development — will eventually add natural-language CVE triage assistance. None of these are shipped yet.
Also in Sandworm.
Sandworm SIEM
Security information and event management with real-time correlation.
See Sandworm SIEM →Map your supply chain.
Connect Sandworm SCA to your repositories and get a full dependency and CVE picture on day one.