About SCA Scan Service

Key functions of SCA Scan Service

SCA Scan Service enables the following functionality:

• Scanning of provided code artifacts using one or more scan type methodologies.

  • Build artifacts, repositories, binary, and Docker images.

  • Signature, package manager, binary, and Docker container scan type methodologies.

• Matching of evidence to OSS components.

  • Signatures, packages, and Docker layer digests.

  • Singular and correlative matching techniques.

• Results delivery.

  • Unopinionated results of identified components, their declared licenses, and their associated vulnerabilities.

  • Intermediate evidence data (BDIO) in support of replay and serviceability.

Performance Improvements

We have conducted extensive performance and scalability testing with the SCA Scan Service. As a result, scan performance has improved across the board, along with a reduction in resource requirements.

We strongly recommend that customers utilize at least Gen05/120sph hardware scale for production environments, as 10sph is not suitable or supported for production use. The Gen05 hardware configuration demonstrates a significant reduction in resource requirements, utilizing approximately 25% less hardware for the same scan volume compared to Gen04. This improvement is largely attributed to enhancements and optimizations made in the SCA Scan Service (SCASS).

However, please note that individual scan performance will vary based on specific scan configurations, hardware setups, and network bandwidth.

For more information on hardware resource reductions, please refer to our announcement in the 2025.1.0 Release Notes and the Black Duck Hardware Scaling Guidelines.

Security considerations

As part of the SCA Scan Service (SCASS) implementation, it is crucial to ensure the security of communication sessions with the service hosted at scass.blackduck.com. While there have been no changes to the data transmitted, internal processing enhancements have been made to improve efficiency. Customers are encouraged to engage their security teams, review relevant policies, and stay informed about the rollout progress, especially concerning binary and container scanning features. This proactive approach helps maintain robust security practices while utilizing SCASS.

Scan types

Scan type	Configuration Options	Code Upload?	BDIO Upload?	Correlated Scan Support?	Match Support
Signature	Explicit configuration Automatic configuration				File-based evidence Component origin matches
Package manager	Explicit configuration Automatic configuration				Package-based evidence Component origin matches
Binary	Explicit configuration Automatic configuration				File-based and package-based evidence Component matches Component version matches Component origin matches
Docker container	Explicit configuration Automatic configuration				File-based and package-based evidence Component matches Component version matches Component origin matches
Snippet	Explicit configuration				File-based evidence Component origin matches

Other features

SCASS also enables Correlated Scanning, a new feature that leverages SCASS to enhance match results by combining insights from multiple scanning techniques.

Additionally, SCASS delivers faster delivery of scanning bug fixes, independent of Black Duck release cycles. While scan results are stored transactionally, this streamlined service enhances the flexibility and scalability of scanning across platforms.

Configuring SCA Scan Service

It is essential to follow the instructions outlined in the SCA Scan Service Configuration Guide to ensure proper setup and functionality of the SCA Scan Service.

Additionally, please note that when configuring your setup, the SCASS Hostname should be set to scass.blackduck.com. This will allow your system to correctly connect and utilize the SCA Scan Service for your scanning needs.