External Package Scanning for open vulnerabilities

I see that SonarCloud has Code Security scanning however, I am wondering if it can scan external software dependencies from Nuget and NPM and compare them to the open vulnerabilities in the NVD/Mitre vulnerability databases. I have used veracode for this in the past. I am hoping I could use SonarCloud as my one stop shop for static analysis and external library security analysis.


Welcome to the community!

We don’t have that built-in. However, if you can get the Nuget and NPM scans done externally, you can convert their reports into the Generic Issue Data format and see it all in one place.


This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.