SCA Rules
SCA rules detect vulnerable dependencies and risky packages used by your applications.
Data Sources and Refresh Cadence
Sttor correlates dependency vulnerabilities using multiple intelligence sources, including:
- OSV (Open Source Vulnerabilities)
- Trivy vulnerability database feeds
- GitHub Security Advisories (GHSA / GitHub ecosystem)
- Additional upstream ecosystem advisories (as available through aggregators)
Vulnerability intelligence is refreshed every 3 hours, ensuring that new CVEs and advisory updates are quickly reflected across both pull request scans and branch scans.
Risk Enrichment
For each vulnerable dependency, Sttor can enrich findings with additional context, including:
- Affected versions and fixed versions (when available)
- CVSS score and severity (when available)
- EPSS (Exploit Prediction Scoring System) to help prioritize vulnerabilities most likely to be exploited
SCA Rule Table (Example)
| ID | Title | Description | Remediation | Tags |
|---|---|---|---|---|
| PACKAGE-0001 | Vulnerable dependency detected | Flags dependencies that match known advisories (CVE, GHSA, OSV) in the current dependency graph. | Upgrade to a fixed version; replace the dependency; pin safe version ranges. | sca, dependency, vulnerability, osv, trivy, epss |
| PACKAGE-0002 | End-of-life dependency version | Detects dependency versions that are deprecated or end-of-life and likely to miss security updates. | Upgrade to a supported version; remove unused dependencies. | sca, dependency-hygiene |