Dependencies

Software Composition Analysis (SCA)

xgrep is a Software Composition Analysis (SCA) tool — generate a CycloneDX or SPDX SBOM, trace dependency usage offline, and scan your open-source dependencies for known CVEs, across 11 ecosystems.

Software Composition Analysis (SCA)

Beyond scanning your own code, xgrep analyzes the third-party code you depend on. Software Composition Analysis (SCA) is the practice of inventorying a project's open-source dependencies and finding the known vulnerabilities they carry. xgrep does it by discovering your dependency manifests and lockfiles, parsing them, and answering three questions:

  • What's in here? — a complete Software Bill of Materials (SBOM) in CycloneDX or SPDX format.
  • What actually uses it?dependency queries that list, group, and trace dependencies against the code that imports them (reachability).
  • Which dependencies are vulnerable?vulnerability scanning that matches your packages against known CVEs, reported inline with your code findings.

Unlike standalone SCA tools, xgrep runs SAST and SCA in a single pass — one xgrep scan . reports vulnerabilities in both your own code and your open-source dependencies at once.

xgrep sbom .          # generate an SBOM (CycloneDX JSON by default)
xgrep deps list .     # flat, scope-tagged dependency inventory
xgrep deps why .      # which dependency packages your code imports (reachability)
xgrep scan .          # code (SAST) AND dependency vulnerabilities (SCA) in one run

SBOM generation and dependency queries are fully offline: xgrep reads manifest files only, never invoking a package manager or reaching the network. Vulnerability scanning is the one networked step — it matches your SBOM against the CVE database via Mondoo Platform and needs a service account; see Scanning for vulnerabilities.

Supported ecosystems

xgrep parses the highest-priority manifest or lockfile present for each of 11 ecosystems (lockfiles are preferred over manifests, so a project with both is never double-counted):

EcosystemManifests and lockfiles parsed
Gogo.mod
npm (JavaScript/TypeScript)package-lock.json, pnpm-lock.yaml, yarn.lock, bun.lock, package.json
PythonPipfile.lock, poetry.lock, uv.lock, pdm.lock
RustCargo.lock
RubyGemfile.lock
PHPcomposer.lock
Javagradle.lockfile, pom.xml
.NETpackages.lock.json, packages.config
Dartpubspec.lock
Elixirmix.lock
SwiftPackage.resolved

Restrict any command to specific ecosystems with --ecosystem, e.g. --ecosystem go,npm.

Scanning a specific commit

Every dependency command takes --ref to read files from a git commit, tag, or branch without checking it out, so you can produce an SBOM for a release tag or compare the dependency set between two commits:

xgrep sbom --ref v1.4.0 .
xgrep deps list --ref main .

In this section

On this page