SCAOpen source · Apache-2.0
OWASP Dependency-Check
Community project
A free command-line and build-plugin SCA tool that matches project dependencies against the National Vulnerability Database and other feeds. Led by its original creator, it remains actively released, though its canonical repository moved to a new GitHub organization in 2025 after years under the maintainer's personal account.
Verified Source: 1
- Product type
- Community project
- Deployment
- CLI
- Organization size
- IndividualSMBMid-marketEnterprise
- Pricing tier
- Free
Capability checklist
SCAHow OWASP Dependency-Check measures up against the full Software Composition Analysis & Supply Chain Security taxonomy.
- Dependency vulnerability scanning — supported
- Flags known CVEs in direct and transitive open-source dependencies.
- License compliance — not supported
- Detects and enforces policy on open-source license obligations.
- SBOM generation — supported
- Produces standardized SPDX or CycloneDX software bills of materials.
- Malicious package detection — not supported
- Flags typosquatting and known-malicious packages in the dependency chain.
- CI/CD gating — not supported
- Blocks builds or pull requests that introduce new vulnerable or noncompliant packages.
- Reachability analysis — not supported
- Determines whether a vulnerable code path is actually invoked, to cut noise from unused code.
- IaC & container config scanning — not supported
- Scans infrastructure-as-code templates and container configurations for misconfigurations alongside application code.
Alternatives
Other Software Composition Analysis & Supply Chain Security tools with overlapping capabilities, sized for similar teams.
Appears in stacks
Real-world stacks that include OWASP Dependency-Check.