# Best Software Composition Analysis Tools *By [Adam Crivello](https://research.g2.com/insights/author/adam-crivello)* Software composition analysis (SCA) tools enables users to analyze and manage the open-source elements of their applications. Companies and developers use SCA tools to verify licensing and assess vulnerabilities associated with each of their applications’ open-source components. More robust than [vulnerability scanner software](https://www.g2.com/categories/vulnerability-scanner), SCA tools automatically scan all open-source components to check for policy and license compliance, security risks, and version updates. SCA software also provides insights for remedying identified vulnerabilities, usually within the reports generated after a scan. Companies and developers often use SCA tools in conjunction with [static code analysis software](https://www.g2.com/categories/static-code-analysis), which scans the code behind their applications as opposed to the open-source components. To qualify for inclusion within the Software Composition Analysis (SCA) category, a product must: - Automatically track and analyze an application’s open source-components - Identify component vulnerabilities, licensing and compliance issues, and version updates - Provide insight into vulnerability remediation ## Category Overview **Total Products under this Category:** 74 ## Trust & Credibility Stats **Why You Can Trust G2's Software Rankings:** - 30 Analysts and Data Experts - 6,100+ Authentic Reviews - 74+ Products - Unbiased Rankings G2's software rankings are built on verified user reviews, rigorous moderation, and a consistent research methodology maintained by a team of analysts and data experts. Each product is measured using the same transparent criteria, with no paid placement or vendor influence. While reviews reflect real user experiences, which can be subjective, they offer valuable insight into how software performs in the hands of professionals. Together, these inputs power the G2 Score, a standardized way to compare tools within every category. ## Best Software Composition Analysis Tools At A Glance - **Leader:** [Wiz](https://www.g2.com/products/wiz-wiz/reviews) - **Easiest to Use:** [Wiz](https://www.g2.com/products/wiz-wiz/reviews) - **Top Trending:** [Aikido Security](https://www.g2.com/products/aikido-security/reviews) - **Best Free Software:** [GitLab](https://www.g2.com/products/gitlab/reviews) --- **Sponsored** ### Endor Labs Endor Labs helps you build and ship secure software fast, whether it's written by humans and AI. While conventional code scanning tools drown teams in false positives, Endor Labs zeroes in on real risks, empowering developers without slowing them down. Trusted by OpenAI, Snowflake, Peloton, Robinhood, Dropbox, Rubrik, and more, Endor Labs is transforming AppSec. • 92% less alerts: Unify code scanning (SAST, SCA, container, secrets, malware, AI models) and automate security code reviews with AI. Pinpoint real vulnerabilities with function-level reachability, filtering out unreachable risks and letting developers fix what matters as they code. • 6X faster fixes: Skip the guesswork. Endor Labs guides developers towards safe OSS upgrades, and backports fixes for hard-to-update libraries. • Guardrails for AI coding assistants: Endor Labs natively integrates into AI coding assistants to help them produce code securely by default. Additionally, Endor Labs has built multiple agents to review the AI and human generated code for architecture and business-logic issues. • Compliance, streamlined: FedRAMP, PCI, NIST, and SLSA compliance is simplified with artifact signing, SBOM, VEX, and more—accelerating your path to secure, compliant code. Learn more at: www.endorlabs.com/demo-request [Visit website](https://www.g2.com/external_clickthroughs/record?secure%5Bad_program%5D=paid_promo&secure%5Bad_slot%5D=category_product_list&secure%5Bcategory_id%5D=2041&secure%5Bmedium%5D=sponsored&secure%5Bprioritized%5D=false&secure%5Bproduct_id%5D=1317430&secure%5Bresource_id%5D=2041&secure%5Bresource_type%5D=Category&secure%5Bsource_type%5D=category_page&secure%5Bsource_url%5D=https%3A%2F%2Fwww.g2.com%2Fcategories%2Fsoftware-composition-analysis%3Fopen_modal_url%3D%252Fproducts%252Fdependency-track%252Fwishlists%253Fhost_path%253D%25252Fcategories%25252Fsoftware-composition-analysis%2526source%253Dcategory&secure%5Btoken%5D=b1f9d40aa467c6d0f0560cd82393b9b127afc90afbac81ce2a98c6c35adea49a&secure%5Burl%5D=https%3A%2F%2Fwww.endorlabs.com%2Fplatform&secure%5Burl_type%5D=paid_promos) --- ## Top-Rated Products (Ranked by G2 Score) ### 1. [Wiz](https://www.g2.com/products/wiz-wiz/reviews) Wiz transforms cloud security for customers – including more than 50% of the Fortune 100 – by enabling a new operating model. With Wiz, organizations can democratize security across the development lifecycle, empowering them to build fast and securely. Its Cloud Native Application Protection Platform (CNAPP) consolidates CSPM, KSPM, CWPP, Vulnerability management, IaC scanning, CIEM, DSPM into a single platform. Wiz drives visibility, risk prioritization, and business agility. Protecting Your Cloud Environments Requires a Unified, Cloud Native Platform. Wiz connects to every cloud environment, scans every layer, and covers every aspect of your cloud security - including elements that normally require installing agents. Its comprehensive approach has all of these cloud security solutions built in. Hundreds of organizations worldwide, including 50 percent of the Fortune 100, to rapidly identify and remove critical risks in cloud environments. Its customers include Salesforce, Slack, Mars, BMW, Avery Dennison, Priceline, Cushman & Wakefield, DocuSign, Plaid, and Agoda, among others. Wiz is backed by Sequoia, Index Ventures, Insight Partners, Salesforce, Blackstone, Advent, Greenoaks, Lightspeed and Aglaé. Visit https://www.wiz.io for more information. **Average Rating:** 4.7/5.0 **Total Reviews:** 773 **User Satisfaction Scores:** - **Quality of Support:** 9.2/10 (Category avg: 9.0/10) - **Language Support:** 8.8/10 (Category avg: 8.4/10) - **Continuous Monitoring:** 9.2/10 (Category avg: 8.8/10) - **Integration:** 9.3/10 (Category avg: 8.8/10) **Seller Details:** - **Seller:** [Wiz](https://www.g2.com/sellers/wiz-76a0133b-42e5-454e-b5da-860e503471db) - **Company Website:** https://www.wiz.io/ - **Year Founded:** 2020 - **HQ Location:** New York, US - **Twitter:** @wiz_io (24,032 Twitter followers) - **LinkedIn® Page:** https://www.linkedin.com/company/wizsecurity/ (3,248 employees on LinkedIn®) **Reviewer Demographics:** - **Who Uses This:** CISO, Security Engineer - **Top Industries:** Financial Services, Information Technology and Services - **Company Size:** 54% Enterprise, 39% Mid-Market #### Pros & Cons **Pros:** - Features (113 reviews) - Security (107 reviews) - Ease of Use (104 reviews) - Visibility (87 reviews) - Easy Setup (68 reviews) **Cons:** - Improvement Needed (35 reviews) - Feature Limitations (34 reviews) - Learning Curve (34 reviews) - Improvements Needed (29 reviews) - Complexity (27 reviews) ### 2. [GitHub](https://www.g2.com/products/github/reviews) GitHub is where the world builds software. Millions of individuals, organizations and businesses around the world use GitHub to discover, share, and contribute software. Developers at startups to Fortune 50 companies use GitHub, every step of the way. **Average Rating:** 4.7/5.0 **Total Reviews:** 2,266 **User Satisfaction Scores:** - **Quality of Support:** 8.7/10 (Category avg: 9.0/10) - **Language Support:** 8.8/10 (Category avg: 8.4/10) - **Continuous Monitoring:** 9.0/10 (Category avg: 8.8/10) - **Integration:** 9.0/10 (Category avg: 8.8/10) **Seller Details:** - **Seller:** [GitHub](https://www.g2.com/sellers/github) - **Year Founded:** 2008 - **HQ Location:** San Francisco, CA - **Twitter:** @github (2,642,101 Twitter followers) - **LinkedIn® Page:** https://www.linkedin.com/company/1418841/ (6,106 employees on LinkedIn®) **Reviewer Demographics:** - **Who Uses This:** Software Engineer, Senior Software Engineer - **Top Industries:** Computer Software, Information Technology and Services - **Company Size:** 46% Small-Business, 31% Mid-Market #### Pros & Cons **Pros:** - Features (123 reviews) - Ease of Use (110 reviews) - Team Collaboration (108 reviews) - Collaboration (106 reviews) - Version Control (102 reviews) **Cons:** - Complexity (46 reviews) - Learning Curve (44 reviews) - Difficulty for Beginners (42 reviews) - Learning Difficulty (40 reviews) - Difficult Learning (35 reviews) ### 3. [Aikido Security](https://www.g2.com/products/aikido-security/reviews) Aikido Security is the developer-first security platform that unifies code, cloud, protection, and attack testing in one suite of best-in-class products. Built by developers for developers, Aikido helps teams of any size ship secure software faster, automate protection, and simulate real-world attacks with AI-driven precision. The platform’s proprietary AI cuts noise by 95%, delivers one-click fixes, and saves developers 10+ hours per week. Aikido Intel proactively uncovers vulnerabilities in open source packages before disclosure, helping secure more than 50,000 organizations worldwide, including Revolut, Niantic, Visma, Montblanc, and GoCardless. **Average Rating:** 4.6/5.0 **Total Reviews:** 141 **User Satisfaction Scores:** - **Quality of Support:** 9.3/10 (Category avg: 9.0/10) - **Language Support:** 9.0/10 (Category avg: 8.4/10) - **Continuous Monitoring:** 9.0/10 (Category avg: 8.8/10) - **Integration:** 9.0/10 (Category avg: 8.8/10) **Seller Details:** - **Seller:** [Aikido Security](https://www.g2.com/sellers/aikido-security) - **Company Website:** https://aikido.dev - **Year Founded:** 2022 - **HQ Location:** Ghent, Belgium - **Twitter:** @AikidoSecurity (6,430 Twitter followers) - **LinkedIn® Page:** https://www.linkedin.com/company/aikido-security/ (175 employees on LinkedIn®) **Reviewer Demographics:** - **Who Uses This:** CTO, Founder - **Top Industries:** Computer Software, Information Technology and Services - **Company Size:** 70% Small-Business, 18% Mid-Market #### Pros & Cons **Pros:** - Ease of Use (78 reviews) - Security (55 reviews) - Features (52 reviews) - Easy Integrations (47 reviews) - Easy Setup (47 reviews) **Cons:** - Missing Features (19 reviews) - Expensive (17 reviews) - Limited Features (16 reviews) - Pricing Issues (15 reviews) - Lacking Features (14 reviews) ### 4. [Snyk](https://www.g2.com/products/snyk/reviews) Snyk (pronounced sneak) is a developer security platform for securing custom code, open source dependencies, containers, and cloud infrastructure all from a single platform. Snyk’s developer security solutions enable modern applications to be built securely, empowering developers to own and build security for the whole application, from code & open source to containers & cloud infrastructure. Secure while you code in your IDE: find issues quickly using the scanner, fix issues easily with remediation advice, verify the updated code. Integrate your source code repositories to secure applications: integrate a repository to find issues, prioritize with context, fix & merge. Secure your containers as you build, throughout the SDLC: start fixing containers as soon as your write a Dockerfile, continuously monitor container images throughout their lifecycle, and prioritize with context. Secure build and deployment pipelines: Integrate natively with your CI/CD tool, configure your rules, find & fix issues in your application, and monitor your applications. Secure your apps quickly with Snyk’s vulnerability scanning and automated fixes - Try for Free! **Average Rating:** 4.5/5.0 **Total Reviews:** 132 **User Satisfaction Scores:** - **Quality of Support:** 8.7/10 (Category avg: 9.0/10) - **Language Support:** 8.1/10 (Category avg: 8.4/10) - **Continuous Monitoring:** 8.7/10 (Category avg: 8.8/10) - **Integration:** 8.7/10 (Category avg: 8.8/10) **Seller Details:** - **Seller:** [Snyk](https://www.g2.com/sellers/snyk) - **HQ Location:** Boston, Massachusetts - **Twitter:** @snyksec (20,991 Twitter followers) - **LinkedIn® Page:** https://www.linkedin.com/company/10043614/ (1,207 employees on LinkedIn®) **Reviewer Demographics:** - **Who Uses This:** Software Engineer - **Top Industries:** Computer Software, Information Technology and Services - **Company Size:** 45% Mid-Market, 35% Small-Business #### Pros & Cons **Pros:** - Vulnerability Detection (3 reviews) - Vulnerability Identification (3 reviews) - Easy Integrations (2 reviews) - Features (2 reviews) - Integrations (2 reviews) **Cons:** - False Positives (2 reviews) - Poor Interface Design (2 reviews) - Scanning Issues (2 reviews) - Software Bugs (2 reviews) - Code Management (1 reviews) ### 5. [GitLab](https://www.g2.com/products/gitlab/reviews) GitLab is the most comprehensive AI-Powered DevSecOps platform that enables software innovation by empowering development, security, and operations teams to build better software, faster. With GitLab, teams can create, deliver, and manage code quickly and continuously instead of managing disparate tools and scripts. GitLab helps your teams across the complete DevSecOps lifecycle, from developing, securing, and deploying software. What makes us truly different? - Flexibility: Consume as a service or manage your own deployment - Cloud-Agnostic: Deploy anywhere with no vendor lock-in - No rip and replace: Scale to a platform approach at your own pace **Average Rating:** 4.5/5.0 **Total Reviews:** 872 **User Satisfaction Scores:** - **Quality of Support:** 8.5/10 (Category avg: 9.0/10) - **Language Support:** 8.7/10 (Category avg: 8.4/10) - **Continuous Monitoring:** 9.0/10 (Category avg: 8.8/10) - **Integration:** 8.8/10 (Category avg: 8.8/10) **Seller Details:** - **Seller:** [GitLab Inc.](https://www.g2.com/sellers/gitlab-inc) - **Company Website:** https://about.gitlab.com/ - **Year Founded:** 2014 - **HQ Location:** San Francisco, California - **Twitter:** @gitlab (170,869 Twitter followers) - **LinkedIn® Page:** https://www.linkedin.com/company/5101804/ (3,357 employees on LinkedIn®) **Reviewer Demographics:** - **Who Uses This:** Software Engineer, Senior Software Engineer - **Top Industries:** Computer Software, Information Technology and Services - **Company Size:** 37% Mid-Market, 37% Small-Business #### Pros & Cons **Pros:** - Ease of Use (43 reviews) - Features (42 reviews) - CI (36 reviews) - CD Integration (34 reviews) - Integrations (34 reviews) **Cons:** - Complexity (21 reviews) - Difficult Learning (19 reviews) - Confusing Interface (16 reviews) - Complex User Interface (15 reviews) - Learning Curve (13 reviews) ### 6. [Cortex Cloud](https://www.g2.com/products/cortex-cloud/reviews) Cortex Cloud by Palo Alto Networks, the next version of Prisma Cloud, understands a unified security approach is essential for effectively addressing AppSec, CloudSec, and SecOps. Connecting cloud security and SOC workflows enables teams to achieve holistic visibility, trace risk across the lifecycle, and correlate real-time threat activity with development and runtime contexts. Cortex Cloud is a unified platform built on three core pillars: data integration, AI-driven intelligence, and automation. Now you can safeguard applications, data, and infrastructure across multicloud and hybrid environments with a unified data model that consolidates telemetry from code, runtime, identity, and endpoints, all into a single data source. Empower teams with precise, AI-powered insights and 2200+ machine learning models to identify and stop zero-day threats with real-time advanced threat detection and response. And automate with 1000+ prebuilt playbooks across your cloud stack to reduce manual workloads, accelerate remediations, and cut response times tenfold. Cortex Cloud delivers more than tools—it transforms how organizations secure their cloud environments. **Average Rating:** 4.1/5.0 **Total Reviews:** 110 **User Satisfaction Scores:** - **Quality of Support:** 7.9/10 (Category avg: 9.0/10) - **Language Support:** 6.7/10 (Category avg: 8.4/10) - **Continuous Monitoring:** 7.2/10 (Category avg: 8.8/10) - **Integration:** 9.2/10 (Category avg: 8.8/10) **Seller Details:** - **Seller:** [Palo Alto Networks](https://www.g2.com/sellers/palo-alto-networks) - **Company Website:** https://www.paloaltonetworks.com - **Year Founded:** 2005 - **HQ Location:** Santa Clara, CA - **Twitter:** @PaloAltoNtwks (128,788 Twitter followers) - **LinkedIn® Page:** https://www.linkedin.com/company/30086/ (21,355 employees on LinkedIn®) **Reviewer Demographics:** - **Top Industries:** Information Technology and Services, Computer & Network Security - **Company Size:** 38% Enterprise, 31% Mid-Market #### Pros & Cons **Pros:** - Ease of Use (49 reviews) - Features (45 reviews) - Security (43 reviews) - Visibility (38 reviews) - Cloud Integration (34 reviews) **Cons:** - Expensive (31 reviews) - Difficult Learning (30 reviews) - Learning Curve (29 reviews) - Pricing Issues (24 reviews) - Complex Setup (21 reviews) ### 7. [OX Security](https://www.g2.com/products/ox-security/reviews) OX is redefining product security for the AI era. Founded by Neatsun Ziv and Lion Arzi, former Check Point executives, OX is the company behind VibeSec — the first AI-native vibe security platform. Unlike traditional “Shift Left” approaches that collapsed under AI’s speed, VibeSec makes software secure by default by preventing risks before they exist. Powered by the OX AI Data Lake and dynamic code-to-runtime context, OX Security delivers: Autonomous, embedded security that runs as fast as developers. Dynamic risk context that shrinks security backlogs before they spiral. Continuous alignment across code, cloud, APIs, and runtime. With OX, developers focus on building while security runs itself, giving enterprises complete confidence that every release ships secure. OX Security -Vendor desc (request to update): OX Security is the company behind VibeSec, an AI-native autonomous security platform built for the AI development era. Unlike traditional tools that chase vulnerabilities after code is written, VibeSec embeds dynamic security context directly into AI coding environments like Cursor and Copilot. The result: every line of code is secure by default. For the first time, security moves at the speed of AI-driven development, preventing vulnerabilities before they exist, shrinking backlogs with every commit, and making security a seamless part of the development flow. **Average Rating:** 4.8/5.0 **Total Reviews:** 51 **User Satisfaction Scores:** - **Quality of Support:** 9.6/10 (Category avg: 9.0/10) - **Language Support:** 8.7/10 (Category avg: 8.4/10) - **Continuous Monitoring:** 8.8/10 (Category avg: 8.8/10) - **Integration:** 9.4/10 (Category avg: 8.8/10) **Seller Details:** - **Seller:** [OX Security](https://www.g2.com/sellers/ox-security) - **Year Founded:** 2021 - **HQ Location:** New York, USA - **LinkedIn® Page:** https://www.linkedin.com/company/ox-security/ (184 employees on LinkedIn®) **Reviewer Demographics:** - **Who Uses This:** Security Engineer - **Top Industries:** Financial Services, Information Technology and Services - **Company Size:** 63% Mid-Market, 25% Enterprise #### Pros & Cons **Pros:** - Features (27 reviews) - Ease of Use (23 reviews) - Customer Support (22 reviews) - Integration Support (22 reviews) - Security (22 reviews) **Cons:** - Integration Issues (8 reviews) - Missing Features (8 reviews) - Complexity (5 reviews) - Inadequate Reporting (5 reviews) - Limited Cloud Integration (5 reviews) ### 8. [Semgrep](https://www.g2.com/products/semgrep/reviews) Semgrep is a modern static analysis (SAST), software composition analysis (SCA), and secrets detection platform designed for both developers and security teams. It combines fast, deterministic analysis with context-aware AI that triages findings like a senior security engineer. The AI Assistant helps reduce false positives, prioritize meaningful results, and offers clear remediation guidance. Its “Memories” feature learns from past decisions to further reduce triage noise over time. Semgrep also supports deep analysis of transitive dependencies, not just direct ones, helping teams surface and address hidden risks in their supply chain. It integrates well into modern development workflows and is easy to customize across environments. **Average Rating:** 4.6/5.0 **Total Reviews:** 55 **User Satisfaction Scores:** - **Quality of Support:** 8.8/10 (Category avg: 9.0/10) - **Language Support:** 8.4/10 (Category avg: 8.4/10) - **Continuous Monitoring:** 8.3/10 (Category avg: 8.8/10) - **Integration:** 8.2/10 (Category avg: 8.8/10) **Seller Details:** - **Seller:** [Semgrep](https://www.g2.com/sellers/semgrep) - **Company Website:** https://semgrep.dev - **Year Founded:** 2017 - **HQ Location:** San Francisco, US - **Twitter:** @semgrep (4,299 Twitter followers) - **LinkedIn® Page:** https://www.linkedin.com/company/returntocorp (238 employees on LinkedIn®) **Reviewer Demographics:** - **Top Industries:** Information Technology and Services, Computer Software - **Company Size:** 45% Enterprise, 42% Mid-Market #### Pros & Cons **Pros:** - Ease of Use (16 reviews) - Features (14 reviews) - Vulnerability Detection (13 reviews) - Scanning Efficiency (12 reviews) - Security (12 reviews) **Cons:** - Not User-Friendly (7 reviews) - Limited Features (6 reviews) - Difficult Learning (5 reviews) - Lack of Guidance (5 reviews) - Learning Curve (5 reviews) ### 9. [CAST Highlight](https://www.g2.com/products/cast-highlight/reviews) By scanning the source code of your applications, CAST Highlight instantly maps your software, generating the insights to understand, improve, and transform it. CIOs, CTOs, Enterprise Architects use CAST to: - Get the true view of all technologies and frameworks - Quantify technical debt and the ways to pay it down - See what’s going to break next, and how best to fix it - Drive cloud adoption faster, knowing what to move and optimize - Prove progress to the board with facts and industry benchmarks Businesses move faster using CAST technology to understand, improve, and transform their software. Through semantic analysis of source code, CAST produces 3D maps and dashboards to navigate inside individual applications and across entire portfolios. This intelligence empowers executives and technology leaders to steer, speed, and report on initiatives such as technical debt, GenAI, modernization, and cloud. As the pioneer of the software intelligence field, CAST is trusted by the world’s leading companies and governments, their consultancies and cloud providers. See it all at castsoftware.com. **Average Rating:** 4.5/5.0 **Total Reviews:** 85 **User Satisfaction Scores:** - **Quality of Support:** 9.1/10 (Category avg: 9.0/10) - **Language Support:** 8.5/10 (Category avg: 8.4/10) - **Continuous Monitoring:** 8.5/10 (Category avg: 8.8/10) - **Integration:** 8.4/10 (Category avg: 8.8/10) **Seller Details:** - **Seller:** [CAST](https://www.g2.com/sellers/cast) - **Company Website:** https://www.castsoftware.com - **Year Founded:** 1990 - **HQ Location:** New York - **Twitter:** @SW_Intelligence (1,892 Twitter followers) - **LinkedIn® Page:** https://www.linkedin.com/company/cast/ (1,259 employees on LinkedIn®) **Reviewer Demographics:** - **Top Industries:** Information Technology and Services, Computer Software - **Company Size:** 57% Enterprise, 24% Small-Business #### Pros & Cons **Pros:** - Ease of Use (8 reviews) - Easy Setup (4 reviews) - Cloud Services (3 reviews) - Efficiency (3 reviews) - Real-time Monitoring (3 reviews) **Cons:** - Complex Navigation (1 reviews) - Dashboard Issues (1 reviews) - Delayed Detection (1 reviews) - Difficulty (1 reviews) - Expensive (1 reviews) ### 10. [Black Duck](https://www.g2.com/products/black-duck/reviews) Organizations worldwide use Black Duck’s industry-leading products to secure and manage open source software, eliminating the pain related to security vulnerabilities, compliance and operational risk. Black Duck is headquartered in Burlington, MA, and has offices in San Jose, CA, Vancouver, London, Frankfurt, Hong Kong, Tokyo, Seoul and Beijing. For more information, visit www.blackducksoftware.com **Average Rating:** 4.0/5.0 **Total Reviews:** 27 **User Satisfaction Scores:** - **Quality of Support:** 7.7/10 (Category avg: 9.0/10) - **Language Support:** 9.2/10 (Category avg: 8.4/10) - **Continuous Monitoring:** 8.3/10 (Category avg: 8.8/10) - **Integration:** 8.0/10 (Category avg: 8.8/10) **Seller Details:** - **Seller:** [Synopsys](https://www.g2.com/sellers/synopsys-53e76f66-bf39-4c28-b0f2-97178ec8ddfd) - **Year Founded:** 1986 - **HQ Location:** Mountain View, CA - **Twitter:** @synopsys (24,264 Twitter followers) - **LinkedIn® Page:** https://www.linkedin.com/company/2457/ (28,121 employees on LinkedIn®) - **Ownership:** NASDAQ:SNPS **Reviewer Demographics:** - **Top Industries:** Information Technology and Services, Computer Software - **Company Size:** 46% Enterprise, 36% Mid-Market #### Pros & Cons **Pros:** - Accuracy of Findings (1 reviews) - Open Source (1 reviews) **Cons:** - Resource Constraints (1 reviews) ### 11. [JFrog](https://www.g2.com/products/jfrog-2024-03-28/reviews) JFrog Ltd. (Nasdaq: FROG), the creators of the unified DevOps, DevSecOps, DevGovOps and MLOps platform, is on a mission to create a world of software delivered without friction from development to production. Driven by a “Liquid Software” vision, the JFrog Platform is a software supply chain system of record that is designed to power organizations as they build, manage, and distribute secure software with speed and scale. Holistic security features help identify, protect, and remediate against threats and vulnerabilities. The universal, hybrid, multi-cloud JFrog Platform is available as both SaaS services across major cloud service providers and self-hosted. Millions of users and approximately 6,600 organizations worldwide, including a majority of the Fortune 100, depend on JFrog solutions to securely embrace digital transformation in the AI era. Learn more at www.jfrog.com or follow us on X @JFrog. **Average Rating:** 4.2/5.0 **Total Reviews:** 111 **User Satisfaction Scores:** - **Quality of Support:** 8.4/10 (Category avg: 9.0/10) - **Language Support:** 8.3/10 (Category avg: 8.4/10) - **Continuous Monitoring:** 9.2/10 (Category avg: 8.8/10) - **Integration:** 8.3/10 (Category avg: 8.8/10) **Seller Details:** - **Seller:** [JFrog Ltd](https://www.g2.com/sellers/jfrog-ltd) - **Company Website:** https://jfrog.com - **Year Founded:** 2008 - **HQ Location:** Sunnyvale, CA - **Twitter:** @jfrog (23,164 Twitter followers) - **LinkedIn® Page:** https://www.linkedin.com/company/jfrog-ltd/ (2,292 employees on LinkedIn®) **Reviewer Demographics:** - **Who Uses This:** Software Engineer, DevOps Engineer - **Top Industries:** Information Technology and Services, Computer Software - **Company Size:** 52% Enterprise, 32% Mid-Market #### Pros & Cons **Pros:** - Features (18 reviews) - Repository Management (14 reviews) - Deployment (13 reviews) - Integrations (12 reviews) - Easy Integrations (11 reviews) **Cons:** - Complexity (9 reviews) - Expensive (8 reviews) - Learning Curve (8 reviews) - Difficult Learning (7 reviews) - Learning Difficulty (7 reviews) ### 12. [Jit](https://www.g2.com/products/jit/reviews) Jit is redefining application security by introducing the first Agentic AppSec Platform, seamlessly blending human expertise with AI-driven automation. Designed for modern development teams, Jit empowers organizations to proactively manage security risks across the entire software development lifecycle.​ AI-Powered Agents Jit's AI Agents, such as SERA (Security Evaluation and Remediation Agent) and COTA (Communication, Ops, and Ticketing Agent), collaborate with your teams to automate vulnerability triage, risk assessment, and remediation processes, significantly reducing manual workloads. ​ Comprehensive Security Scanning Achieve full-stack security coverage with integrated scanners for SAST, DAST, SCA, IaC, CSPM, and more. Jit's platform ensures continuous monitoring and immediate feedback on code changes, facilitating rapid identification and resolution of security issues. ​ Developer-Centric Experience With integrations into popular IDEs and CI/CD pipelines, Jit provides developers with contextual security insights directly within their workflows, promoting a shift-left approach without disrupting productivity. ​ Agentic AI for AppSec Teams Risk-Based Prioritization Utilizing the Model Context Protocol (MCP), Jit evaluates vulnerabilities in the context of runtime environments, business impact, and compliance requirements, enabling teams to focus on the most critical risks. ​ Seamless Integrations Jit integrates with a wide array of tools, including GitHub, GitLab, AWS, Azure, GCP, Jira, Slack, and more, ensuring that security processes are embedded within your existing technology stack. ​ **Average Rating:** 4.5/5.0 **Total Reviews:** 43 **User Satisfaction Scores:** - **Quality of Support:** 9.3/10 (Category avg: 9.0/10) - **Language Support:** 8.3/10 (Category avg: 8.4/10) - **Continuous Monitoring:** 8.5/10 (Category avg: 8.8/10) - **Integration:** 8.8/10 (Category avg: 8.8/10) **Seller Details:** - **Seller:** [jit](https://www.g2.com/sellers/jit) - **Year Founded:** 2021 - **HQ Location:** Boston, MA - **Twitter:** @jit_io (523 Twitter followers) - **LinkedIn® Page:** https://www.linkedin.com/company/jit/ (151 employees on LinkedIn®) **Reviewer Demographics:** - **Top Industries:** Computer Software, Financial Services - **Company Size:** 44% Mid-Market, 42% Small-Business #### Pros & Cons **Pros:** - Security (10 reviews) - Easy Integrations (8 reviews) - Ease of Use (7 reviews) - Efficiency (7 reviews) - Integration Support (7 reviews) **Cons:** - Integration Issues (4 reviews) - Limited Features (4 reviews) - Limited Integration (4 reviews) - Poor Documentation (4 reviews) - Complexity (3 reviews) ### 13. [SOOS](https://www.g2.com/products/soos/reviews) SOOS is the complete application security posture management platform. Scan your software for vulnerabilities, control the introduction of new dependencies, exclude unwanted license types, generate and manage Software Bill of Materials (SBOM), and fill out your compliance worksheets across all your teams. SOOS’s ASPM is a dynamic, comprehensive approach to safeguarding your application infrastructure from vulnerabilities across the Software Development Life Cycle (SDLC) and live deployments. Easy to integrate, all in one dashboard. SCA - Deep tree vulnerability scanning, license compliance, governance DAST - Automated Web & API vulnerability scanning Containers - Scan contents for vulnerabilities SAST - Analyze code for security vulnerabilities IaC - Cloud security coverage SBOMs - Create – monitor – manage **Average Rating:** 4.6/5.0 **Total Reviews:** 42 **User Satisfaction Scores:** - **Quality of Support:** 9.3/10 (Category avg: 9.0/10) - **Language Support:** 9.5/10 (Category avg: 8.4/10) - **Continuous Monitoring:** 9.4/10 (Category avg: 8.8/10) - **Integration:** 9.5/10 (Category avg: 8.8/10) **Seller Details:** - **Seller:** [SOOS](https://www.g2.com/sellers/soos) - **Company Website:** https://soos.io - **Year Founded:** 2019 - **HQ Location:** Winooski, US - **Twitter:** @soostech (45 Twitter followers) - **LinkedIn® Page:** https://www.linkedin.com/company/53122310 (26 employees on LinkedIn®) **Reviewer Demographics:** - **Top Industries:** Information Technology and Services, Computer Software - **Company Size:** 50% Mid-Market, 43% Small-Business #### Pros & Cons **Pros:** - Ease of Use (8 reviews) - Easy Integrations (6 reviews) - Integrations (6 reviews) - Customer Support (5 reviews) - Vulnerability Detection (5 reviews) **Cons:** - Inadequate Reporting (4 reviews) - Poor Reporting (4 reviews) - Lacking Features (3 reviews) - Lack of Guidance (3 reviews) - Dashboard Issues (2 reviews) ### 14. [SonarQube](https://www.g2.com/products/sonarqube/reviews) Sonar, the industry standard for code verification and automated code review, helps reduce outages, improve security, and lower risks associated with AI and agentic coding. As an independent verification platform, Sonar enables organizations to securely develop at the speed of AI. Sonar is the foundation for high-performance software engineering, analyzing over 750 billion lines of code daily to ensure applications are secure, reliable, and maintainable. Rooted in the open source community, Sonar is trusted by 7M+ developers globally, including teams at ServiceNow, Booking.com, Deutsche Bank, AstraZeneca, and Ford Motor Company. **Average Rating:** 4.4/5.0 **Total Reviews:** 138 **User Satisfaction Scores:** - **Quality of Support:** 8.1/10 (Category avg: 9.0/10) **Seller Details:** - **Seller:** [SonarSource Sàrl](https://www.g2.com/sellers/sonarsource-sarl) - **Company Website:** https://www.sonarsource.com - **Year Founded:** 2008 - **HQ Location:** Geneva, Switzerland - **Twitter:** @SonarSource (10,935 Twitter followers) - **LinkedIn® Page:** https://www.linkedin.com/company/sonarsource/ (929 employees on LinkedIn®) **Reviewer Demographics:** - **Who Uses This:** DevOps Engineer, Software Engineer - **Top Industries:** Information Technology and Services, Computer Software - **Company Size:** 42% Enterprise, 39% Mid-Market #### Pros & Cons **Pros:** - Code Quality (24 reviews) - Features (20 reviews) - Issue Identification (19 reviews) - Ease of Use (18 reviews) - Easy Integrations (18 reviews) **Cons:** - Software Bugs (12 reviews) - Complex Configuration (10 reviews) - False Positives (10 reviews) - Complexity (8 reviews) - Complex Setup (8 reviews) ### 15. [Mend.io](https://www.g2.com/products/mend-io/reviews) Mend.io is the leading application security solution, helping organizations reduce application risk efficiently. Built for modern, AI-driven, and traditional development environments alike, Mend.io prioritizes what matters most, so teams fix less, reduce risk faster, and deliver software with confidence. **Average Rating:** 4.3/5.0 **Total Reviews:** 105 **User Satisfaction Scores:** - **Quality of Support:** 8.7/10 (Category avg: 9.0/10) - **Language Support:** 8.5/10 (Category avg: 8.4/10) - **Continuous Monitoring:** 8.8/10 (Category avg: 8.8/10) - **Integration:** 8.5/10 (Category avg: 8.8/10) **Seller Details:** - **Seller:** [Mend](https://www.g2.com/sellers/mend-ab79a83a-6747-4682-8072-a3c176489d0b) - **Company Website:** https://mend.io - **Year Founded:** 2011 - **HQ Location:** Boston, Massachusetts - **Twitter:** @Mend_io (11,302 Twitter followers) - **LinkedIn® Page:** https://www.linkedin.com/company/2440656/ (258 employees on LinkedIn®) **Reviewer Demographics:** - **Who Uses This:** Software Engineer - **Top Industries:** Computer Software, Information Technology and Services - **Company Size:** 38% Small-Business, 34% Mid-Market #### Pros & Cons **Pros:** - Scanning Efficiency (8 reviews) - Ease of Use (7 reviews) - Easy Integrations (6 reviews) - Scanning Technology (6 reviews) - Vulnerability Detection (6 reviews) **Cons:** - Integration Issues (6 reviews) - Limited Features (3 reviews) - Missing Features (3 reviews) - Complex Implementation (2 reviews) - Confusing Interface (2 reviews) ### 16. [Microsoft Defender for Cloud](https://www.g2.com/products/microsoft-defender-for-cloud/reviews) Microsoft Defender for Cloud is a cloud native application protection platform for multicloud and hybrid environments with comprehensive security across the full lifecycle, from development to runtime. **Average Rating:** 4.4/5.0 **Total Reviews:** 279 **User Satisfaction Scores:** - **Quality of Support:** 8.6/10 (Category avg: 9.0/10) - **Language Support:** 9.4/10 (Category avg: 8.4/10) - **Continuous Monitoring:** 10.0/10 (Category avg: 8.8/10) - **Integration:** 9.9/10 (Category avg: 8.8/10) **Seller Details:** - **Seller:** [Microsoft](https://www.g2.com/sellers/microsoft) - **Year Founded:** 1975 - **HQ Location:** Redmond, Washington - **Twitter:** @microsoft (13,114,353 Twitter followers) - **LinkedIn® Page:** https://www.linkedin.com/company/microsoft/ (227,697 employees on LinkedIn®) - **Ownership:** MSFT **Reviewer Demographics:** - **Who Uses This:** Saas Consultant, Software Engineer - **Top Industries:** Information Technology and Services, Computer & Network Security - **Company Size:** 39% Mid-Market, 35% Enterprise #### Pros & Cons **Pros:** - Security (121 reviews) - Comprehensive Security (92 reviews) - Cloud Security (71 reviews) - Vulnerability Detection (63 reviews) - Threat Detection (57 reviews) **Cons:** - Complexity (27 reviews) - Expensive (24 reviews) - Delayed Detection (22 reviews) - False Positives (19 reviews) - Improvement Needed (19 reviews) ### 17. [Contrast Security](https://www.g2.com/products/contrast-security-contrast-security/reviews) Contrast Security is the global leader in Application Detection and Response (ADR), empowering organizations to see and stop attacks on applications and APIs in real time. Contrast embeds patented threat sensors directly into the software, delivering unmatched visibility and protection. With continuous, real-time defense, Contrast uncovers hidden application layer risks that traditional solutions miss. Contrast’s powerful Runtime Security technology equips developers, AppSec teams and SecOps with one platform that proactively protects and defends applications and APIs against evolving threats. **Average Rating:** 4.5/5.0 **Total Reviews:** 49 **User Satisfaction Scores:** - **Quality of Support:** 9.3/10 (Category avg: 9.0/10) - **Language Support:** 8.1/10 (Category avg: 8.4/10) - **Continuous Monitoring:** 9.0/10 (Category avg: 8.8/10) - **Integration:** 8.8/10 (Category avg: 8.8/10) **Seller Details:** - **Seller:** [Contrast Security](https://www.g2.com/sellers/contrast-security) - **Company Website:** https://contrastsecurity.com - **Year Founded:** 2014 - **HQ Location:** Pleasanton, CA - **Twitter:** @contrastsec (5,483 Twitter followers) - **LinkedIn® Page:** https://www.linkedin.com/company/contrast-security/ (224 employees on LinkedIn®) **Reviewer Demographics:** - **Top Industries:** Insurance, Information Technology and Services - **Company Size:** 67% Enterprise, 20% Mid-Market #### Pros & Cons **Pros:** - Accuracy of Findings (2 reviews) - Accuracy of Results (2 reviews) - Vulnerability Detection (2 reviews) - Automated Scanning (1 reviews) - Automation (1 reviews) **Cons:** - Complex Setup (1 reviews) - Difficult Setup (1 reviews) - Performance Issues (1 reviews) - Problematic Updates (1 reviews) - Setup Complexity (1 reviews) ### 18. [Aqua Security](https://www.g2.com/products/aqua-security/reviews) Aqua Security sees and stops attacks across the entire cloud native application lifecycle in a single, integrated platform. From software supply chain security for developers to cloud security and runtime protection for security teams, Aqua helps customers reduce risk while building the future of their businesses. The Aqua Platform is the industry’s most comprehensive Cloud Native Application Protection Platform (CNAPP). Founded in 2015, Aqua is headquartered in Boston, MA and Ramat Gan, IL with Fortune 1000 customers in over 40 countries. **Average Rating:** 4.2/5.0 **Total Reviews:** 57 **User Satisfaction Scores:** - **Quality of Support:** 8.0/10 (Category avg: 9.0/10) - **Language Support:** 7.3/10 (Category avg: 8.4/10) - **Continuous Monitoring:** 6.3/10 (Category avg: 8.8/10) - **Integration:** 7.3/10 (Category avg: 8.8/10) **Seller Details:** - **Seller:** [Aqua Security Software Ltd](https://www.g2.com/sellers/aqua-security-software-ltd) - **Year Founded:** 2015 - **HQ Location:** Burlington, US - **Twitter:** @AquaSecTeam (7,690 Twitter followers) - **LinkedIn® Page:** https://www.linkedin.com/company/aquasecteam/ (499 employees on LinkedIn®) **Reviewer Demographics:** - **Top Industries:** Computer Software, Financial Services - **Company Size:** 56% Enterprise, 39% Mid-Market #### Pros & Cons **Pros:** - Security (19 reviews) - Ease of Use (18 reviews) - Features (12 reviews) - Detection (10 reviews) - Vulnerability Identification (9 reviews) **Cons:** - Missing Features (9 reviews) - Lack of Features (6 reviews) - Limited Features (6 reviews) - Difficult Navigation (4 reviews) - Improvement Needed (4 reviews) ### 19. [FOSSA](https://www.g2.com/products/fossa/reviews) Open source is a critical part of your software. In the average modern software product, over 80% of the source code shipped is derived from open source. Each component can have cascading legal, security, and quality implications for your customers, making it one of the most important things to manage correctly. FOSSA helps you manage your open source components. We plug into your development workflow to help your team automatically track, manage, and remediate issues with the open source you use to: - Stay compliant with software licenses and generate required attribution documents - Enforce usage and licensing policies throughout your CI/CD workflow - Monitor and remediate security vulnerabilities - Flag code quality issues and outdated components proactively By enabling open source, we help development teams increase development velocity and decrease risk. **Average Rating:** 4.2/5.0 **Total Reviews:** 15 **User Satisfaction Scores:** - **Quality of Support:** 8.3/10 (Category avg: 9.0/10) - **Language Support:** 8.8/10 (Category avg: 8.4/10) - **Continuous Monitoring:** 8.5/10 (Category avg: 8.8/10) - **Integration:** 9.2/10 (Category avg: 8.8/10) **Seller Details:** - **Seller:** [FOSSA](https://www.g2.com/sellers/fossa) - **Year Founded:** 2015 - **HQ Location:** San Francisco, California - **Twitter:** @getfossa (776 Twitter followers) - **LinkedIn® Page:** https://www.linkedin.com/company/fossa/ (56 employees on LinkedIn®) **Reviewer Demographics:** - **Top Industries:** Computer Software - **Company Size:** 47% Small-Business, 33% Mid-Market #### Pros & Cons **Pros:** - Easy Integrations (1 reviews) - Issue Resolution (1 reviews) - Remediation Solutions (1 reviews) - Risk Management (1 reviews) - Security (1 reviews) ### 20. [MergeBase](https://www.g2.com/products/mergebase/reviews) MergeBase is revolutionizing software supply chain protection with a full-featured, developer-oriented SCA solution that brings the lowest false positives in the industry and complete DevOps coverage from coding/building to deployment and run-time. MergeBase’s SCA tool analyzes the open-source/third-party libraries for vulnerabilities. Our mission is to protect the software supply chain. We provide a full-featured, developer-oriented solution that has the industry’s lowest false positive rates and complete coverage of the DevOps process. **Average Rating:** 4.5/5.0 **Total Reviews:** 20 **User Satisfaction Scores:** - **Quality of Support:** 9.3/10 (Category avg: 9.0/10) - **Language Support:** 7.9/10 (Category avg: 8.4/10) - **Continuous Monitoring:** 8.5/10 (Category avg: 8.8/10) - **Integration:** 8.5/10 (Category avg: 8.8/10) **Seller Details:** - **Seller:** [MergeBase Software](https://www.g2.com/sellers/mergebase-software) - **Year Founded:** 2018 - **HQ Location:** Coquitlam, British Columbia - **Twitter:** @mergebasesecure (86 Twitter followers) - **LinkedIn® Page:** https://www.linkedin.com/company/mergebase/ (1 employees on LinkedIn®) **Reviewer Demographics:** - **Top Industries:** Computer Software - **Company Size:** 40% Small-Business, 35% Mid-Market ### 21. [Sandworm](https://www.g2.com/products/sandworm/reviews) Sandworm is a comprehensive software supply chain security solution that detects vulnerabilities in dependencies, provides actionable insights, and ensures a secure and reliable development process for organizations across multiple programming languages. It empowers developers to identify and remediate potential risks, strengthens cybersecurity resilience, and fosters a safer software ecosystem. **Average Rating:** 5.0/5.0 **Total Reviews:** 11 **User Satisfaction Scores:** - **Quality of Support:** 9.6/10 (Category avg: 9.0/10) - **Language Support:** 9.1/10 (Category avg: 8.4/10) - **Continuous Monitoring:** 9.6/10 (Category avg: 8.8/10) - **Integration:** 9.1/10 (Category avg: 8.8/10) **Seller Details:** - **Seller:** [Sandworm](https://www.g2.com/sellers/sandworm) - **Year Founded:** 2023 - **HQ Location:** N/A - **LinkedIn® Page:** https://www.linkedin.com/company/sandworm-dev/ (2 employees on LinkedIn®) **Reviewer Demographics:** - **Top Industries:** Marketing and Advertising - **Company Size:** 73% Small-Business, 18% Mid-Market ### 22. [Socket](https://www.g2.com/products/socket-socket/reviews) Socket is the leading developer-first security platform that protects modern applications from malicious and vulnerable open source dependencies. By combining real-time package monitoring with AI-powered code analysis, Socket detects and blocks supply chain attacks within minutes of publication. With advanced reachability analysis, automated remediation, and license compliance features, Socket enables teams to focus on building software, while we keep their open source code secure. **Average Rating:** 4.7/5.0 **Total Reviews:** 10 **User Satisfaction Scores:** - **Quality of Support:** 9.0/10 (Category avg: 9.0/10) - **Language Support:** 8.9/10 (Category avg: 8.4/10) - **Continuous Monitoring:** 8.3/10 (Category avg: 8.8/10) - **Integration:** 8.3/10 (Category avg: 8.8/10) **Seller Details:** - **Seller:** [Socket](https://www.g2.com/sellers/socket) - **Year Founded:** 2020 - **HQ Location:** San Francisco, US - **Twitter:** @SocketSecurity (11,088 Twitter followers) - **LinkedIn® Page:** https://www.linkedin.com/company/socketinc/ (91 employees on LinkedIn®) **Reviewer Demographics:** - **Company Size:** 40% Mid-Market, 30% Enterprise #### Pros & Cons **Pros:** - Security (3 reviews) - Open Source (2 reviews) - Accuracy of Findings (1 reviews) - Alerts (1 reviews) - Comprehensive Security (1 reviews) **Cons:** - Missing Features (1 reviews) - System Slowness (1 reviews) ### 23. [Endor Labs](https://www.g2.com/products/endor-labs/reviews) Endor Labs helps you build and ship secure software fast, whether it's written by humans and AI. While conventional code scanning tools drown teams in false positives, Endor Labs zeroes in on real risks, empowering developers without slowing them down. Trusted by OpenAI, Snowflake, Peloton, Robinhood, Dropbox, Rubrik, and more, Endor Labs is transforming AppSec. • 92% less alerts: Unify code scanning (SAST, SCA, container, secrets, malware, AI models) and automate security code reviews with AI. Pinpoint real vulnerabilities with function-level reachability, filtering out unreachable risks and letting developers fix what matters as they code. • 6X faster fixes: Skip the guesswork. Endor Labs guides developers towards safe OSS upgrades, and backports fixes for hard-to-update libraries. • Guardrails for AI coding assistants: Endor Labs natively integrates into AI coding assistants to help them produce code securely by default. Additionally, Endor Labs has built multiple agents to review the AI and human generated code for architecture and business-logic issues. • Compliance, streamlined: FedRAMP, PCI, NIST, and SLSA compliance is simplified with artifact signing, SBOM, VEX, and more—accelerating your path to secure, compliant code. Learn more at: www.endorlabs.com/demo-request **Average Rating:** 4.8/5.0 **Total Reviews:** 9 **User Satisfaction Scores:** - **Quality of Support:** 9.8/10 (Category avg: 9.0/10) - **Language Support:** 9.4/10 (Category avg: 8.4/10) - **Continuous Monitoring:** 9.7/10 (Category avg: 8.8/10) - **Integration:** 9.2/10 (Category avg: 8.8/10) **Seller Details:** - **Seller:** [Endor Labs](https://www.g2.com/sellers/endor-labs) - **Company Website:** https://www.endorlabs.com/ - **Year Founded:** 2021 - **HQ Location:** Palo Alto, California, United States - **Twitter:** @EndorLabs (563 Twitter followers) - **LinkedIn® Page:** https://www.linkedin.com/company/endorlabs (200 employees on LinkedIn®) **Reviewer Demographics:** - **Company Size:** 78% Mid-Market, 22% Enterprise #### Pros & Cons **Pros:** - Features (5 reviews) - Ease of Use (4 reviews) - Accuracy of Findings (3 reviews) - Customer Support (3 reviews) - Integration Support (3 reviews) **Cons:** - UX Improvement (3 reviews) - API Limitations (1 reviews) - Difficult Setup (1 reviews) - Integration Issues (1 reviews) - Missing Features (1 reviews) ### 24. [Rainforest Application](https://www.g2.com/products/rainforest-technologies-rainforest-application/reviews) Rainforest is the all-in-one cyber security platform with an end-to-end approach to simplify corporate reputation protection by using multiple intelligences and proactive observability, adding Application and Cloud Security (from DevOps to DevSecOps), Vulnerability Intelligence, and Brand reputation (Fraud and Leak monitoring). Rainforest Application, Rainforest Cloud, and Rainforest Asset modules allow development and security teams have visibility of all applications lifecycle, in a simple and quick way, providing vulnerability management always that a new line is coded. Rainforest Fraud, Rainforest Leak, and Rainforest Asset build an integrated vision of Vulnerability and Brand Intelligence, guiding security and compliance teams in an efficient manner on potential exposure points, according to their importance to the business regarding the company's reputation. **Average Rating:** 4.9/5.0 **Total Reviews:** 12 **User Satisfaction Scores:** - **Quality of Support:** 9.8/10 (Category avg: 9.0/10) - **Language Support:** 8.0/10 (Category avg: 8.4/10) - **Continuous Monitoring:** 9.0/10 (Category avg: 8.8/10) - **Integration:** 8.7/10 (Category avg: 8.8/10) **Seller Details:** - **Seller:** [Rainforest Technologies](https://www.g2.com/sellers/rainforest-technologies) - **HQ Location:** Wilmington, Delaware - **LinkedIn® Page:** https://www.linkedin.com/company/80967943 (12 employees on LinkedIn®) **Reviewer Demographics:** - **Company Size:** 42% Mid-Market, 42% Small-Business ### 25. [Codacy](https://www.g2.com/products/codacy/reviews) Codacy is the only DevSecOps platform that delivers plug-and-play code health and security scanning for AI and human generated code. Future-proof your software – from source code to runtime – without extra servers or build steps. Deploy within minutes and stay ahead of emerging risks today. BUILT FOR HUMANS, READY FOR AI Seamless Git and IDE integrations make Codacy a daily coach your devs can trust, not just another browser tab. AI-generated code is no exception – leaving up to 50% of your codebase exposed to a new wave of zero-days. Empower your devs to use Copilot and Cursor with confidence, not concern. CODE HEALTH & SECURITY FOR ANY STACK While healthy coding standards make your apps and infra run smoothly, Codacy equips your devs with the largest AppSec suite on the market – SAST, hardcoded secrets, dependency checks, SBOM, license scanning, DAST, and pentesting – safeguarding your business every step of the way. PIPELINE-LESS CODE AND RUNTIME SCANS Codacy scans run entirely in the cloud, eliminating the need for servers or build steps. A simple one-click webhook integration gets every commit and Pull Request scanned on the fly, across 49 languages and frameworks – ready for codebases of any size and flavor, and SOC 2 Type 2 certified. **Average Rating:** 4.6/5.0 **Total Reviews:** 28 **User Satisfaction Scores:** - **Quality of Support:** 9.2/10 (Category avg: 9.0/10) **Seller Details:** - **Seller:** [Codacy](https://www.g2.com/sellers/codacy) - **Year Founded:** 2012 - **HQ Location:** Lisbon, Lisboa - **Twitter:** @codacy (5,025 Twitter followers) - **LinkedIn® Page:** https://www.linkedin.com/company/3310124/ (73 employees on LinkedIn®) **Reviewer Demographics:** - **Top Industries:** Computer Software - **Company Size:** 61% Small-Business, 21% Mid-Market #### Pros & Cons **Pros:** - Security (2 reviews) - Automation (1 reviews) - Automation Testing (1 reviews) - Code Quality (1 reviews) - Customer Support (1 reviews) **Cons:** - Expensive (1 reviews) ## Parent Category [DevSecOps Software](https://www.g2.com/categories/devsecops) ## Related Categories - [Vulnerability Scanner Software](https://www.g2.com/categories/vulnerability-scanner) - [Static Application Security Testing (SAST) Software](https://www.g2.com/categories/static-application-security-testing-sast) - [Secure Code Review Software](https://www.g2.com/categories/secure-code-review) --- ## Buyer Guide ### What You Should Know About Software Composition Analysis Software ### What is Software Composition Analysis Software? Software composition analysis (SCA) refers to the management and evaluation of open source and third-party components within the development environment. Software developers and development teams use SCA to keep tabs on the hundreds of open source components incorporated in their builds. These components fall out of compliance and require version updates; if left unchecked they can pose major security risks. With so many components to track, developers lean on SCA to automatically manage issues. SCA tools scan for actionable items and alerts developers, allowing teams to focus on development rather than manually combing through a mess of software components. In conjunction with tools such as [vulnerability scanner](https://www.g2.com/categories/vulnerability-scanner) and [dynamic application security testing (DAST) software](https://www.g2.com/categories/dynamic-application-security-testing-dast), software composition analysis integrates with the development environment to curate a secure DevOps workflow. The synergy between cybersecurity and DevOps, sometimes referred to as DevSecOps, answers an urgent call for developers to approach software development with a security-first mindset. For a long time, software developers have relied on open source and third-party components, leaving siloed cybersecurity professionals to clean up builds. This outdated standard often leaves large unresolved gaps in security for stretches of time. Software composition analysis presents a solution for ensuring secure compliance before the worst happens. Key Benefits of Software Composition Analysis Software - Help keep development secure - Ease the workloads of developers - Build a productive workflow across teams ### Why Use Software Composition Analysis Software? Security best practices are a necessary staple in any DevOps environment. Beyond industry standards, secure development is increasingly important as issues such as API vulnerabilities come to the forefront of cybersecurity. There are often many open source and third-party components in a software build—ensuring components are constantly updated and secure is a task better left to software. Software composition analysis does the job and saves development teams significant time and energy. **Peace of mind —** Software composition analysis software constantly evaluates open source components. This means developers and teams can focus on advancing their projects without worrying about a mess of unchecked components. In the event of any issues, SCA software alerts users and provides suggestions for remediation. **Seamless security —** Most SCA software integrates with preexisting development environments, meaning users don’t have to navigate between windows to address vulnerabilities. Developers can receive important and relevant information about the open source and third-party components in their builds without detaching themselves from their workspace. ### Who Uses Software Composition Analysis Software? DevOps teams that want to implement security best practices use SCA software as an integral part of the DevSecOps tool kit. SCA software empowers developers to proactively keep their open source and third-party components secure, rather than leave a mess of vulnerabilities for siloed cybersecurity team members to clean up. Tools like SCA software help break down the barriers between DevOps and cybersecurity practices, curating an integrated and agile workflow. **Solo developers —** While SCA software does wonders for larger teams looking to marry their cybersecurity and DevOps processes, solo developers benefit from their own automated security watchdog. Developers working alone on personal projects can’t expect cybersecurity to be taken care of by someone else, so tools like SCA software help them manage their open source vulnerabilities without eating into their time and energy. **Small development teams —** Similar to solo developers, small development teams often lack the assets to employ a full-time cybersecurity professional. SCA software also aids these teams, allowing them to focus their limited resources on building their project. **Large DevOps teams —** Midsize and enterprise DevOps teams rely on SCA software to shape a secure and common sense DevSecOps workflow. Rather than isolate cybersecurity professionals from the DevOps process, companies use tools like SCA to integrate cybersecurity as a default standard for development. This practice mitigates stressors on both developers and IT teams by enabling a more agile environment. ### Software Composition Analysis Software Features **Comprehensive insights —** SCA software gives users meaningful visibility into the open source and third-party components they use. These tools organize relevant and timely information and present developers with useful updates. This interface often requires some level of development knowledge, meaning the onus is on developers to act on any information presented by SCA tools. Version updates, compliance issues, and vulnerabilities are constantly evaluated so users can be alerted as soon as issues arise. **Remediation information —** Beyond identifying issues with developers’ open source components, SCA software provides users with relevant documentation for remediation. These suggestions give knowledgeable developers a jumping off point so they can address vulnerabilities in a timely manner. These remediation suggestions typically require development knowledge to understand, but developers can often pass these remediation tasks to cybersecurity professionals on their team. ### Trends Related to Software Composition Analysis Software **DevOps —** DevOps refers to the marriage of development and IT operations management to make unified software development pipelines. Teams have implemented DevOps best practices to build, test, and release software. SCA software’s seamless blending with integrated development environments (IDEs) means it fits right in with any DevOps cycle. **Cybersecurity —** Calls for standardized cybersecurity best practices as part of DevOps philosophy, often referred to as DevSecOps, have shifted the responsibility for secure applications to developers. SCA software’s vulnerability detection and remediation features play a necessary role in establishing secure DevOps practices. ### Software and Services Related to Software Composition Analysis Software [**Vulnerability scanner software**](https://www.g2.com/categories/vulnerability-scanner) **—** Vulnerability scanners constantly monitor applications and networks to identify vulnerabilities. These tools scan full applications and networks then test them against known vulnerabilities. All of these functions work in conjunction with SCA software to form a comprehensive security stack. [**Static application security testing (SAST) software**](https://www.g2.com/categories/static-application-security-testing-sast) **—** SAST software inspects and analyzes an application’s code to discover security vulnerabilities without actually executing code. Similar to SCA software, these tools identify vulnerabilities and provide remediation suggestions. There is functional overlap with static code analysis software, but SAST software specifically focuses on security, while static code analysis software has a broader scope. [**Dynamic application security testing (DAST) software**](https://www.g2.com/categories/dynamic-application-security-testing-dast) **—** DAST tools automate security tests for a variety of real-world threats. These tools run applications against simulated attacks and other cybersecurity scenarios using black box testing, or testing performed outside an application. [**Static code analysis software**](https://www.g2.com/categories/static-code-analysis) **—** Static code analysis is a debugging and quality assurance method that inspects a computer program’s code without executing the program. Static code analysis software scans code to identify security vulnerabilities, catch bugs, and ensure the code adheres to industry standards. These tools help software developers automate the core aspects of program comprehension. While static code analysis is similar to static application security testing, this software covers a broader scope as opposed to focusing solely on security.