OpenText Core SCA (formerly Debricked) is a developer-friendly software composition analysis platform that uses machine learning to identify vulnerabilities and assess dependency health.
Now integrated with the OpenText Fortify portfolio, it provides unified application security for organizations using Fortify SAST alongside open-source dependency scanning.
What is OpenText Core SCA?
Debricked was founded with the goal of making SCA accessible to developers without compromising security depth.
The platform emphasizes fast scanning, clear prioritization, and actionable remediation guidance.
After acquisition by Micro Focus (2022) and subsequent absorption into OpenText (2023), the tool became OpenText Core SCA while retaining its developer-focused approach.
The integration with Fortify Software Security Center and Fortify on Demand means organizations can manage SAST and SCA findings in a single dashboard.
This consolidation simplifies vulnerability management and provides consistent policies across code analysis types.
Key Features
ML-Powered Vulnerability Analysis
Machine learning models enrich vulnerability data beyond what CVE databases provide.
The system predicts exploit likelihood, estimates time-to-fix, and identifies patterns in vulnerability disclosure.
This intelligence helps teams prioritize based on actual risk rather than CVSS scores alone.
Dependency Health Scoring
Each dependency receives a health score based on maintenance activity, community size, release frequency, and security track record.
Low health scores indicate risky dependencies even without known vulnerabilities.
The metric helps teams choose well-maintained alternatives proactively.
Automated Fix Pull Requests
When vulnerabilities are detected, the platform can automatically create pull requests with version updates.
The fix PRs include context about what changed and any breaking changes to watch for.
This automation reduces the friction of keeping dependencies current.
License Compliance
Comprehensive license detection covers hundreds of license types including custom and uncommon licenses.
Policy rules flag copyleft, commercial restrictions, or specific license requirements.
The compliance engine handles multi-license packages and license expressions.
Fortify Integration
Native integration with Fortify Software Security Center displays SCA findings alongside SAST results.
Fortify on Demand users can add SCA scanning to their existing workflows without additional configuration.
The unified view simplifies security governance.
SBOM Generation
Generate Software Bill of Materials in SPDX and CycloneDX formats.
The SBOM includes transitive dependencies, license information, and vulnerability status.
Automated generation supports emerging regulatory requirements for software transparency.
Installation
OpenText Core SCA runs as a SaaS platform with CI/CD integrations.
CLI Scanner
Install the Debricked CLI:
# npm (works across platforms)
npm install -g @debricked/cli
# Homebrew (macOS/Linux)
brew install debricked/tap/cli
Authenticate:
debricked auth login
# Opens browser for OAuth authentication
Or use token authentication:
export DEBRICKED_TOKEN="your-api-token"
Docker
docker run -v $(pwd):/repo debricked/cli:latest scan /repo
How to Use OpenText Core SCA
Basic Scanning
Scan a repository:
debricked scan .
Scan and output results:
debricked scan . --output results.json
Resolving Dependencies
For accurate results, resolve dependencies before scanning:
# JavaScript
npm install
debricked scan .
# Python
pip install -r requirements.txt
debricked scan .
# Java/Maven
mvn dependency:resolve
debricked scan .
Policy Enforcement
Configure policies in .debricked.yaml:
policies:
vulnerability:
failOn:
severity: high
cvss: 7.0
license:
deny:
- GPL-3.0-only
- AGPL-3.0-only
allow:
- MIT
- Apache-2.0
Run with policy check:
debricked scan . --policy .debricked.yaml
Generating SBOMs
# CycloneDX format
debricked sbom . --format cyclonedx --output sbom.cdx.json
# SPDX format
debricked sbom . --format spdx --output sbom.spdx.json
Integration
GitHub Actions
name: Debricked SCA
on: [push, pull_request]
jobs:
security:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: '20'
- name: Install dependencies
run: npm ci
- name: Debricked Scan
uses: debricked/actions/scan@v1
with:
token: ${{ secrets.DEBRICKED_TOKEN }}
- name: Upload SBOM
uses: debricked/actions/sbom@v1
with:
token: ${{ secrets.DEBRICKED_TOKEN }}
format: cyclonedx
GitLab CI
debricked:
image: debricked/cli:latest
script:
- npm ci
- debricked scan . --token $DEBRICKED_TOKEN
rules:
- if: $CI_PIPELINE_SOURCE == "merge_request_event"
- if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
Azure DevOps
trigger:
- main
pool:
vmImage: 'ubuntu-latest'
steps:
- task: NodeTool@0
inputs:
versionSpec: '20.x'
- script: npm ci
displayName: 'Install dependencies'
- script: |
npm install -g @debricked/cli
debricked scan .
displayName: 'Debricked scan'
env:
DEBRICKED_TOKEN: $(DEBRICKED_TOKEN)
Jenkins Pipeline
pipeline {
agent any
environment {
DEBRICKED_TOKEN = credentials('debricked-token')
}
stages {
stage('Install Dependencies') {
steps {
sh 'npm ci'
}
}
stage('Debricked SCA') {
steps {
sh 'npm install -g @debricked/cli'
sh 'debricked scan .'
}
}
}
}
Fortify Integration
Connect to Fortify Software Security Center:
- Navigate to Debricked Settings > Integrations
- Add Fortify SSC connection with URL and token
- Map repositories to Fortify application versions
- SCA findings appear in Fortify alongside SAST results
When to Use OpenText Core SCA
OpenText Core SCA suits organizations that need:
- Developer-friendly SCA with minimal friction
- ML-powered prioritization beyond standard CVSS
- Dependency health metrics for proactive maintenance
- Integration with Fortify SAST for unified security
- Automated pull requests for dependency updates
The platform works well for teams that want actionable results without security expertise.
The health scoring and automated fixes reduce the burden of dependency maintenance.
Organizations already using Fortify benefit most from the native integration.
For those outside the Fortify ecosystem, evaluate whether the developer experience and ML features justify choosing this platform over alternatives.
Note: Acquired by Micro Focus in 2022, now part of OpenText. Also known as OpenText Core SCA.