ProGet x SCA

ProGet Overview > Software Composition Analysis

What is Software Composition Analysis?

Software Composition Analysis (SCA) is the automated process of identifying which third-party libraries, open-source packages, and other dependencies that your applications use.

The identified packages are compiled into a Software Bill of Materials (SBOM), which is then compared against a variety of databases, including the National Vulnerability Database (NVD). The packages are then scanned for licenses and matched against compliance rules.

ProGet is a Universal Package Manager and Private Docker Registry that centralizes your organization’s applications, components, and third-party packages and containers. ProGet secures access to the technology you’re already using, including NuGet, npm, PowerShell, Chocolatey, maven, Docker, and more.

ProGet is self-managed, which means you can download and install on-premise or in the cloud. It can work offline, and is easy to manage in both Windows and Linux environments.

Rising Needs for Software Composition Analysis

ProGet’s Features for Software Composition Analysis

Vulnerability Scanning

License Detection

Package Tracker




Vulnerability Scanning

ProGet automates the discovery of vulnerabilities in your applications, and offers actionable insights to help assess and remediate them.

This is done by scanning third-party packages and Docker container images that you use against vulnerability databases like the National Vulnerability Database

ProGet can also block package usage by automatically assessing vulnerabilities based on the CVE Score or your team’s manual assessment.

Vulnerability in release & Vulnerability details
License rules & usage

License Detection & Blocking

ProGet can automatically detect the license agreement that a package is using, and show you which of your applications are using which open-source licenses.

You can also create rules to block packages with unwanted licenses (such as GPL-3) so that developers don’t accidentally incorporate them into a new project. 

Track Package Usage

ProGet helps you track your organization’s open-source and third-party components (packages), and helps you identify issues like vulnerabilities, license violations, and missing packages.

This gives you invaluable insight into which versions of your applications are using which open-source packages and allows you to quickly identify the impact of critical bugs or security vulnerabilities discovered in open-source libraries.

Package use Across Projects
Resolve Issues Found in Packages

Continuous Releases Analysis & Issues

After integrating ProGet into your CI/CD pipeline, ProGet will routinely analyze your releases (both in-flight and in production) for new vulnerabilities or unwanted licenses in the packages it uses.

When ProGet discovers a problem with a package in a release, an “issue” will be created, you’ll be notified, and you can work with your team to assess and resolve it .

Automatically Generate SBOM

You can import and export SBOM documents for a release in ProGet from the ProGet web UI or using the API.

When exporting an SBOM document, ProGet will merge metadata from the information stored in ProGet (such as the project name, release number, package licenses, etc.) as well as any additional component metadata found in the imported SBOM documents. 

Generated SBOM (XML)

Direct Support from Product Engineers

We hate Helpdesk Hell just as must as you, which is you you’ll work directly with our engineers—the very same people who built our products and can change them.

From fast action on tickets to regular monitoring of Forums to an outrageously accessible CEO, we’re ready to help and listen.

Get Started with Software Composition Analysis

To help you evaluate ProGet’s Software Composition Analysis features, we’d be happy to provide a personalized demonstration. We can also provide a trial license if you’d like to try out some of the features that aren’t available in the free edition.