4.1.3.X. License Compliance and SCA Tooling

License scanning ensures your application's dependency tree complies with organizational policies. This is distinct from vulnerability scanning — a dependency can be vulnerability-free but use a copyleft license (GPL, AGPL) incompatible with proprietary software.

Key tools: SCA platforms like Mend (formerly WhiteSource), Snyk, FOSSA, and GitHub's Dependabot can detect license types across direct and transitive dependencies. Pipeline policy rules fail builds when non-permissive licenses are detected.

SonarQube/SonarCloud complements security scanning with broader code quality analysis — detecting bugs, code smells, duplications, and maintainability issues alongside security hotspots. Quality gates can block merges when quality standards aren't met. SonarQube is self-hosted; SonarCloud is the SaaS version. Both integrate with Azure Pipelines and GitHub Actions.

OWASP Top 10 is the industry-standard awareness document for web application security risks. The OWASP Dependency-Check tool scans project dependencies against the National Vulnerability Database (NVD). OWASP ZAP provides dynamic application security testing (DAST). Many AZ-400 security scanning questions reference OWASP categories.