Source Composition Analysis for DevSecOps

Practically everyone uses open source software and libraries, including major organizations. But regardless of how safe people think they are, we need to be sure it’s not compromising our applications. Source Composition Analysis (SCA) is how we test the security of all the open source components of our software.

In Source Composition Analysis for DevSecOps, you’ll learn everything there is to know about SCA and how it ties into a sustainable DevOps practice. We’ll be taking you through some of the most popular SCA tools, as well as automating a Software Bill of Materials (SBOM). We’ll even learn how to use CycloneDX to manage our SBOM.

Finally, we’ll learn how to conduct a comprehensive NPM audit in our practical labs. The course features hands-on lab exercises where you will integrate SCA into a CI pipeline, as well as tracking and monitoring software components in a CI platform.

Our learning material is backed by years of security testing experience, knowledge, and original research across our entire security team. That’s why we’ve chosen to focus on showing you practical, real-world strategies and techniques that bring you closer to a successful DevSecOps implementation.  

Source Composition Analysis for DevSecOps
Proficiency Intermediate
Audience DevSecOps Expert
Course Duration​ 4
Lessons​ 18
Cloud Labs​ 3



Cloud Security Expert

Course duration




Cloud Labs


    • DevOps and the rise of DevOps
    • The need for DevSecOps
    • Success Factors and Challenges implementing DevSecOps
    • DevSecOps as a series of Developer-first workflows
    • Labs: OWASP Dependency Track and CycloneDX – Source Composition Analysis and Software Bill of Materials
    • Labs for Integrating Source Composition Analysis into Automated workflows:
      • Developer IDE environments
      • Source Repositories with Git-based workflows
      • Continuous Integration Tooling, as part of the build process
    • Labs for additional SCA Tools including OWASP Dependency Check, NPM Audit, Pyraider and others
    • Github Actions – Introduction and Overview
    • Lab: Create your custom Github Action
    • Leveraging the Github Actions “Store” to identify useful pre-existing automations for Github
    • Lab: Creating an end-to-end Github Actions-driven workflow for Continuous Integration
  • Implementing OWASP Dependency Track
  • Running an NPM Audit
We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking "Accept" you consent to the use of All the cookies