Software Composition Analysis (SCA)
xgrep is a Software Composition Analysis (SCA) tool — generate a CycloneDX or SPDX SBOM, trace dependency usage offline, and scan your open-source dependencies for known CVEs, across 11 ecosystems.
Software Composition Analysis (SCA)
Beyond scanning your own code, xgrep analyzes the third-party code you depend on. Software Composition Analysis (SCA) is the practice of inventorying a project's open-source dependencies and finding the known vulnerabilities they carry. xgrep does it by discovering your dependency manifests and lockfiles, parsing them, and answering three questions:
- What's in here? — a complete Software Bill of Materials (SBOM) in CycloneDX or SPDX format.
- What actually uses it? — dependency queries that list, group, and trace dependencies against the code that imports them (reachability).
- Which dependencies are vulnerable? — vulnerability scanning that matches your packages against known CVEs, reported inline with your code findings.
Unlike standalone SCA tools, xgrep runs SAST and SCA in a single pass — one
xgrep scan . reports vulnerabilities in both your own code and your open-source
dependencies at once.
xgrep sbom . # generate an SBOM (CycloneDX JSON by default)
xgrep deps list . # flat, scope-tagged dependency inventory
xgrep deps why . # which dependency packages your code imports (reachability)
xgrep scan . # code (SAST) AND dependency vulnerabilities (SCA) in one runSBOM generation and dependency queries are fully offline: xgrep reads manifest files only, never invoking a package manager or reaching the network. Vulnerability scanning is the one networked step — it matches your SBOM against the CVE database via Mondoo Platform and needs a service account; see Scanning for vulnerabilities.
Supported ecosystems
xgrep parses the highest-priority manifest or lockfile present for each of 11 ecosystems (lockfiles are preferred over manifests, so a project with both is never double-counted):
| Ecosystem | Manifests and lockfiles parsed |
|---|---|
| Go | go.mod |
| npm (JavaScript/TypeScript) | package-lock.json, pnpm-lock.yaml, yarn.lock, bun.lock, package.json |
| Python | Pipfile.lock, poetry.lock, uv.lock, pdm.lock |
| Rust | Cargo.lock |
| Ruby | Gemfile.lock |
| PHP | composer.lock |
| Java | gradle.lockfile, pom.xml |
| .NET | packages.lock.json, packages.config |
| Dart | pubspec.lock |
| Elixir | mix.lock |
| Swift | Package.resolved |
Restrict any command to specific ecosystems with --ecosystem, e.g.
--ecosystem go,npm.
Scanning a specific commit
Every dependency command takes --ref to read files from a git commit, tag, or
branch without checking it out, so you can produce an SBOM for a release tag or
compare the dependency set between two commits:
xgrep sbom --ref v1.4.0 .
xgrep deps list --ref main .In this section
- Generating an SBOM — formats, flags, and CI usage.
- Querying dependencies —
list,tree, andwhy. - Scanning for vulnerabilities — match
dependencies against known CVEs, with
xgrep scanor an existing SBOM.