SCA

Tooling that automatically scans a codebase to identify open-source and third-party components, map their licenses, and flag known vulnerabilities. SCA is essential for diligence and compliance, but it has limits -- it can't catch backdoors inserted through compromised build pipelines, and it struggles with vendored or modified code. Tools like Snyk, Black Duck, and FOSSA are common in this space.