Black Duck Software Composition Analysis

Secure and manage open source from development to deployment

Black Duck by Synopsys provides a comprehensive software composition analysis (SCA) solution for managing security, quality, and license compliance risk that comes from the use of open source and third-party code in applications and containers. Black Duck gives you unmatched visibility into third-party code, enabling you to control it across your software supply chain and throughout the application life cycle.

Is untracked open source putting you at risk?

Third-party code saves time and money, but it can also harbor dangers like these:

  • Security vulnerabilities (e.g., CVEs identified in the National Vulnerability Database)
  • Common software weaknesses (e.g., SANS Top 25 or OWASP Top 10)
  • Risks related to license violations and IP ownership

Manage open source risks with Black Duck

Black Duck software composition analysis combines versatile open source risk management and deep binary inspection in a best-in-class solution. Black Duck gives development, operations, procurement, and security teams the tools they need to minimize the security, compliance, and code quality risks of open source and other third-party software, while still realizing the benefits that come with it.


Download datasheet      Learn about the technology


find open source in code


• Identify open source in code, binaries, and containers
• Detect partial and modified components
• Automate scanning with DevOps integrations

identify open source license risk


• Map components to known vulnerabilities
• Identify license and component-quality risks
• Monitor for new vulnerabilities in development and production

open source security policies


• Set and enforce open source use and security policies
• Automate policy enforcement with DevOps integrations
• Prioritize and track remediation activities

We’re a Gartner Magic Quadrant Leader in application security testing—again.

Find out why

Manage open source during development

With Black Duck, you can identify and track open source components within your applications’ source code and monitor for new and existing vulnerabilities that put them at risk.

source code analysis with Black Duck

We selected Black Duck for three reasons: for reputation, ease of use, and confidence in the results."

Lawrence Croft


VP Product Development at Copperleaf

Use multifactor open source detection.
Identify declared components, unique hash signatures, and dependencies resolved during a build.

Generate a complete inventory of open source in use.
Track all third-party components, licenses, and versions contained in your applications.

Map your bill of materials (BoM).
Map your BoM onto the largest knowledge base of open source project, vulnerability, and license data. Make informed decisions with relevant risk metrics and actionable remediation guidance.

Get deeper vulnerability insight.
Access detailed, proprietary security risk insight from the Synopsys Center for Open Source Research & Innovation (COSRI). Receive notifications of new vulnerabilities up to three weeks before they are published in the NVD, reducing your window of exposure.

Uphold security as threats evolve.
Automatically receive alerts for newly discovered vulnerabilities in the components and dependencies in your BoM.

Breaking down DevSecOps

Build AppSec into your CI/CD pipeline with static application security testing and software composition analysis.

Watch the webinar

Manage open source during deployment

Black Duck OpsSight helps you prevent known open source vulnerabilities from being deployed into production environments. With OpsSight you have unprecedented visibility into the open source components and any associated security vulnerabilities that exist in the container images you create and those that are running in production. Black Duck OpsSight integrates directly into your container orchestration platforms, ensuring that you have the visibility and control you need to minimize risk to your applications.


Download datasheet


OpsSight works with your container orchestration platform to scan any container image as it is used within the cluster and report on any known vulnerabilities.


OpsSight continuously monitors for new open source security disclosures and component changes for the open source found in your container images.


Scan results are placed as metadata on the container image so you can display vulnerability risk and enforce policies directly from the console of your container orchestration platform.

Manage open source during procurement

With Black Duck Binary Analysis, you can analyze systems and software to identify weak links in your software supply chain quickly and easily—all without source code.

Scan virtually any software or firmware in minutes.
This includes desktop and mobile applications, embedded system firmware, virtual appliances, and more.

Analyze without source code.
Simply upload the software you want to assess, and Black Duck performs a thorough binary analysis in minutes.

Obtain a comprehensive bill of materials (BoM).
Identify and catalog all third-party software components and licenses.

Make informed decisions about software consumption.  
Reduce security risks and the threat of license noncompliance. Identify known open source vulnerabilities, licensing obligations, sources of sensitive data leakage, and application permission requirements.    

Uphold security as threats evolve.
Automatically receive alerts for newly discovered vulnerabilities in previously scanned software.

Download datasheet

Take control of open source, eliminate risks, and accelerate remediation    

Black Duck empowers your application development, deployment, and procurement initiatives with a comprehensive toolkit to identify and remediate open source security, license, and operational risks. Use insightful vulnerability remediation and risk mitigation guidance, complete open source license compliance data, Black Duck–exclusive security advisories, and impactful policy controls to eliminate risks proactively.