[0:06] Shinobi: Welcome back to Sushi Bytes, the podcast where we break down software risk into bite-sized insights you can actually use. Now, if you listened to our last episode, SCA in the AI Era, you might remember we talked about how AI is completely reshaping how software gets built. Code generation is accelerating. Code volume is going through the roof too! And naturally, software risk management pressure is scaling right alongside it.
Well, funny enough, the timing couldn’t be better. Because just after that episode dropped, FossID made a pretty big announcement. They’re calling it Agentic SCA. And today, we’re diving into what that actually means.
To help us unpack this, we’ve got a familiar voice back on the show, Aaron Branson, the Chief Growth Officer at FossID. Aaron joined us previously to talk about where SCA is heading in 2026, and now he’s back to explain what might be one of the biggest steps in that direction. Aaron, welcome back.
[1:05] Aaron Branson: Thanks, Shinobi! Glad to be back. And yeah, the timing is kind of perfect, isn’t it?
What’s Broken About SCA Today?
[1:12] Shinobi: Alright, let’s level set. In the last episode, we talked about how AI is increasing the volume of code, but also changing the nature of code. More fragments, or snippets. More mixed licensing. More unknown provenance. So, before we get into Agentic SCA, what’s broken about software composition analysis in that world?
[1:34] Aaron: Yeah, great question. Well, today there are two classes of SCA. The first class assumes software is assembled from clearly defined components. You have complete packages, properly declared dependencies, versioning, everything right there for a scanner to read, compile, and tell you what software components you have, what licenses they use, and what known vulnerabilities they may have.
The second does all that, but also accounts for unmanaged code, meaning dependencies that are not properly declared, embedded languages that don’t use a package manager, and even third-party code that doesn’t exist in its entirety. Meaning maybe it’s been modified, maybe portions of it have been copy-pasted in, or as of late, maybe it’s been generated by AI. At the end of the day, it’s what’s called a “code snippet,” no matter how large or how small that snippet may be, this class of SCA tool scans the actual code to find any third-party library reuse lurking about.
Now, that’s what we are today with those two classes and that’s all well and good. In fact, that second class that’s the right foundation to start from, but that’s not enough. But the difference now is volume and velocity. Code is simply cheaper to create. And it’s getting generated faster, and the typical application is getting larger in terms of lines of code. That means more unmanaged code to scan by SCA tools that have snippet detection to maintain this visibility and compliance rigor, but it also means teams are moving faster and these scans are causing a bottleneck.
Enter Agentic SCA
[3:25] Shinobi: So where does Agentic SCA come in?
[3:27] Aaron: Agentic SCA is about leveraging AI agents to handle this code volume, velocity, and complexity without slowing down delivery, and it works in several stages of the software development lifecycle.
The thing I’m most excited about is built-in compliance at the point of code creation. Yes, SCA should be run at Code Integration, and full audits before Code Delivery, but what’s been lacking is same capability at Code Creation that really truly shifting left. Agentic SCA inspects the code as it is built, gives guidance to developers in real time in their environment, enforces policies on the code automatically, and adapts to your compliance policies.
So it prevents issues and serves as a pair programmer for software engineers who are not license and copyright experts, nor should they be expected to be. Then the scan at the pull request is less likely to have issues, so you have faster, cleaner builds. And the pre-release audit really becomes just validation, not uncovering issues that need rework, just exporting the SBOM.
[4:47] Gen: So, less “inspection findings at the point of delivery,” and more “expert guidance while you’re building.”
[4:54] Aaron: Exactly. But not just at delivery that’s pretty rare. But more importantly, in the CI pipeline.
Why Now?
[5:01] Shinobi: And why now? What’s really pushing this shift into motion now?
[5:05] Aaron: Because software development is moving at machine speed now. And the pressure is on to keep up. When AI is generating this much code this fast, you don’t get the luxury of slowing down to run compliance checks manually anymore. And if these risk controls can’t keep up, they’re gonna get bypassed. So Agentic SCA is really about matching that speed and those exceptations, embedding compliance and security directly into the workflow, and adding intelligence automatically to the later-stage audits.
What Agentic SCA Actually Includes
[5:39] Shinobi: Makes sense! But let’s get concrete. When FossID says “Agentic SCA,” what does that actually include?
[5:48] Aaron: At a high level, it’s built around a few core ideas.
- Agents Instead of Tools
AI Agents armed with SCA skills and hooks can take action, trigger scans, enforce policies, guide decisions, without waiting for a human to initiate everything. - Deep Snippet Intelligence
Understanding code at a granular level, not just package-level dependencies. AI-generated code has made this more relevant than ever. - Really Shifting Left
SCA operates in CI pipelines, but now it can effectively live inside developer environments as code is created, not as a separate step. - Policy as Code
Turning compliance rules into enforceable, automated logic for strong issue prevention. - AI-Assisted Audits
I haven’t even unpacked this and we might not have time, but it’s not only about built-in compliance from the start. This also means faster, intelligent audits when scanning an entire codebase, with remediation guidance in terms that anyone can understand.
What Changes for Software Risk Leaders?
[7:09] Gen: Okay, so help me picture this. If I’m a software risk leader, what actually changes for me?
[7:17] Aaron: Great question Gen. You’ll definitely notice the difference. First, you move from reactive to proactive. Instead of finding out you have legal or security issues after the code is written, you’re now avoiding them by arming your coding tools with SCA know-how. Put another way, instead of breaking a build at code merge or chasing issues after release, you’re preventing them during development.
Second, you get better alignment across teams. Think about legal, engineering, and security that are working together to define and work from the same compliance rules, and then having policy enforced automatically.
And third, you get scalability. Because the system can handle increasing code volume and complexity without requiring more manual oversight by overworked software compliance experts.
Regulation, SBOMs, and AI Governance
[8:17] Shinobi: And we can’t ignore regulation here. SBOM requirements. Supply chain transparency. AI governance. How does Agentic SCA help there?
[8:26] Aaron: It makes compliance much more realistic, Shinobi. Instead of scrambling to generate reports after the fact, you’re continuously building a compliant system. SBOMs become a byproduct of the process, not a last-minute deliverable, let alone one that has bad news in it like copyleft licenses or unmanaged vulnerabilities that should’ve been handled sooner.
Why Can’t an LLM Just Do This?
[8:51] Gen: Alright, I get it, I’m a little biased, but I have to ask, why can’t an LLM do this job without SCA?
[8:58] Aaron: Fair question. Here how we see it.
- Context Limitations
LLMs can’t reliably process entire application codebases due to context window constraints, leading to incomplete analysis and missed risk. SCA tools are scanning an application’s half-a-million lines of code against a knowledgebase of over 200 million known OSS projects. Context limitations hinder the LLM in this situation. - Inefficient for Code Identification
Identifying open source code, licenses, and vulnerabilities is not a language problem. Using LLM tokens and reasoning for exact matching is computationally expensive and inefficient compared to SCA knowledgebases, matching algorithms, and scoring methods that are designed for this task. - Inconsistent Results
LLMs don’t always produce the same answer given the same input. This makes them unreliable for compliance data that requires consistent, auditable, and repeatable results. - No Curated Source of Truth
LLMs are trained on broad, unstructured data and don’t rely on a continuously curated knowledge base of components, licenses, and vulnerabilities. Not to mention the training data lag-time when it comes to the latest intel. Without that specialized curation, scan results can be incomplete, outdated, or incorrect, leading to a classic garbage-in, garbage-out problem for compliance and risk assessment.
[10:52] Aaron: But of course, there are so many things LLMs do well! And that’s why this combination is exciting.
- Agentic SCA gives you the best of both worlds
combining LLM reasoning with high-precision software composition analysis for accurate, explainable, and reliable outcomes. - It’s Built for Scale
You get SCA’s high-performance code identification handles large codebases efficiently, while AI focuses on interpretation, guidance, and decision-making. - Audit-Ready Results
Agentic SCA delivers consistent, repeatable, evidence-based outputs required for compliance, legal review, and especially these regulatory frameworks like GDPR that are coming into focus. - Real-Time, In-Workflow Compliance
And LLMs enables AI agents to automatically analyze and act on risks as code is written, not after the fact.
Basically, SCA and LLMs are a perfect team.
Wrap-Up
[12:07] Gen: OK, that makes sense. And that actually ties really nicely back to our last episode. We said SCA needs to evolve to match AI-driven development. And it sounds like Agentic SCA is FossID’s answer to that.
[12:21] Aaron: Exactly. That conversation was the diagnosis and this is the treatment.
[12:26] Shinobi: Alright, let’s wrap it up. If listeners take one thing away from this, what should it be?
[12:34] Aaron: One thing? AI has changed everything. Speed. Complexity. Risk. Everything. It’s up to solutions like FossID to figure it out, to help teams meet these expectations so they can safely move at the speed of AI.
[12:53] Gen: The alternative seems to be to either slow down development or lose visibility and control.
[12:58] Shinobi: Neither would be a fun choice to make. Aaron, thanks again for joining us.
[13:03] Aaron: Anytime!
[13:05] Shinobi: And to everyone listening, if you enjoyed this episode, make sure to subscribe, share it with your team, and stay tuned for more Sushi Bytes. Until next time, stay sharp.
