From 7f111af7606863f23a1f1c7f2b5d1ba0f589f7fc Mon Sep 17 00:00:00 2001
From: Gorka Vicente <gorka.vicente@datadoghq.com>
Date: Mon, 9 Mar 2026 18:40:10 +0100
Subject: [PATCH 01/16] Update Code Security SCA Page
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This PR updates the Software Composition Analysis (SCA) documentation to make the product model and UI views easier to understand.

Changes:
1. Adds a How it works section that explains Static SCA (repo scans) vs Runtime SCA (APM) and how advisory ingestion impacts results.
2. Reorganizes content into Key capabilities with clearer user workflows (prioritize vulnerabilities, view by repository, PR Gates, library inventory, APM context).
3. Adds Understanding SCA views to explain the difference between Repositories Explorer (commit-scoped snapshot) and Vulnerabilities Explorer (continuously matched), including an example.
4. Documents retroactive advisory matching so customers understand why new CVEs can appear without rerunning scans.
5. Keeps existing setup and language support references and updates “Next steps” accordingly.
---
 .../software_composition_analysis/_index.md   | 94 ++++++++++++++-----
 1 file changed, 68 insertions(+), 26 deletions(-)

diff --git a/content/en/security/code_security/software_composition_analysis/_index.md b/content/en/security/code_security/software_composition_analysis/_index.md
index bded2847dd4..91c43627180 100644
--- a/content/en/security/code_security/software_composition_analysis/_index.md
+++ b/content/en/security/code_security/software_composition_analysis/_index.md
@@ -11,6 +11,18 @@ further_reading:
   - link: https://www.datadoghq.com/blog/code-security-secret-scanning
     tag: Blog
     text: Detect and block exposed credentials with Datadog Secret Scanning
+  - link: /security/code_security/software_composition_analysis/setup_static/
+    tag: Documentation
+    text: Set up Static SCA
+  - link: /security/code_security/software_composition_analysis/setup_runtime/
+    tag: Documentation
+    text: Set up Runtime SCA
+  - link: /security/code_security/software_composition_analysis/library_inventory
+    tag: Documentation
+    text: Library Inventory
+  - link: /pr_gates/
+    tag: Documentation
+    text: PR Gates
 
 ---
 ## Overview
@@ -22,28 +34,23 @@ Using Software Composition Analysis provides organizations with the following be
 - Risk-based prioritization and remediation based on runtime detection of vulnerabilities
 - Identification of malicious packages, end-of-life libraries, and library riskiness based on OpenSSF standards
 
-Datadog SCA uses a curated proprietary database. The database is sourced from Open Source Vulnerabilities (OSV), National Vulnerability Database (NVD), GitHub advisories, and other language ecosystem advisories, as well as Datadog's own Security Research team's findings. There is a maximum of 2 hours between when a new vulnerability is published and when it appears in Datadog, with emerging vulnerabilities typically appearing in Datadog within minutes.
-
-## SCA language support
+## How it works
 
-Software Composition Analysis (SCA) supports the following languages:
+SCA supports two complementary detection modes:
+- **Static detection** scans your repositories by analyzing dependency files (lockfiles and manifests) at each commit. Scans run automatically on every push to a connected repository, or can be triggered from your CI/CD pipeline. See [Set up Static SCA][1] to get started.
+- **Runtime detection** identifies libraries that are actually loaded and used by your services at runtime, using instrumentation from Datadog APM. See [Set up Runtime SCA][2] to get started.
 
-{{< partial name="code_security/sca-lang-support.html" >}}
+Datadog SCA uses a curated proprietary database. The database is sourced from Open Source Vulnerabilities (OSV), National Vulnerability Database (NVD), GitHub advisories, and other language ecosystem advisories, as well as Datadog's own Security Research team's findings. There is a maximum of 2 hours between when a new vulnerability is published and when it appears in Datadog, with emerging vulnerabilities typically appearing in Datadog within minutes.
 
-For steps on setting up SCA for your language, see [Set up SCA][15].
+New advisories are automatically matched against all existing scan results, including older commits, without requiring a new scan. See [Understanding SCA views](#understanding-sca-views) for more details.
 
-## Set up SCA
+## Key capabilities
 
-SCA supports both static and runtime dependency detection:
-- For **static detection**, you can scan your repositories from your CI/CD pipelines or directly from Datadog's infrastructure. See [static setup][1] to get started.
-- For **runtime detection**, you can enable SCA on services instrumented with Datadog APM. See [runtime setup][2] to get started.
+### Review and prioritize vulnerabilities
 
-## Search and filter results
-### Vulnerabilities explorer
-The [Vulnerabilities][11] explorer provides a vulnerability-centric view of library vulnerabilities detected by SCA, alongside vulnerabilities detected by other Code Security capabilities (SAST and IAST). All vulnerabilities in the explorer are either detected on the default branch at the last commit of a scanned repository, or are affecting a running service.
+The [vulnerabilities explorer][11] provides a vulnerability-centric view of library vulnerabilities detected by SCA, alongside vulnerabilities detected by other Code Security capabilities (SAST, IAST, Secrets Scanning, and IaC). All vulnerabilities in the explorer are either detected on the default branch at the last commit of a scanned repository, or are affecting a running service.
 
-### Datadog severity score
-Each vulnerability begins with a base CVSS score. To assist in prioritizing remediation, Datadog modifies the base CVSS score into the Datadog Severity Score by incorporating runtime context and exploitability signals. These factors help distinguish theoretical risk from vulnerabilities that are more likely to be exploited in real-world environments. The table below describes how each factor influences the final score.
+To assist in prioritizing remediation, Datadog modifies the base CVSS score into the **Datadog Severity Score** by incorporating runtime context and exploitability signals. These factors help distinguish theoretical risk from vulnerabilities that are more likely to be exploited in real-world environments. The table below describes how each factor influences the final score.
 
 | Risk factor                       | How it is evaluated                                                  | Impact on the score                                    |
 |-----------------------------------|----------------------------------------------------------------------|--------------------------------------------------------|
@@ -54,14 +61,16 @@ Each vulnerability begins with a base CVSS score. To assist in prioritizing reme
 | Exploit availability              | Availability of public exploits for the vulnerability.               | Decreased if no exploit is available.                  |
 | Exploitation probability (EPSS)   | Likelihood of real-world exploitation based on EPSS data.            | Decreased when the probability of exploitation is low. |
 
-### Repositories explorer
-The [Repositories][12] explorer provides a repository-centric view of all scan results across Static Code Analysis (SAST) and Software Composition Analysis (SCA). Click on a repository to analyze **Library Vulnerabilities** and **Library Catalog** results from SCA scoped to your chosen branch and commit.
+### View findings by repository
+
+The [repositories explorer][12] provides a repository-centric view of all scan results across Static Code Analysis (SAST), Software Composition Analysis (SCA), Secrets, and Infrastructure as Code (IaC).  Click on a repository to analyze **Library Vulnerabilities** and **Library Catalog** results from SCA scoped to your chosen branch and commit.
 * The **Library Vulnerabilities** tab contains the vulnerable library versions found by Datadog SCA
 * The **Library Catalog** tab contains all of the libraries (vulnerable or not) found by Datadog SCA.
 
 Recommended steps for remediating detected vulnerabilities can be found in the side panel for each vulnerability in SCA. Steps are provided for upgrading the library to the safest (non-vulnerable) version, as well as the closest version.
 
-To filter your results, use the facets to the left of the list or the search bar at the top. Results can be filtered by service or team facets. For more information about how results are linked to Datadog services and teams, see [Getting Started with Code Security][5].
+To filter your results, use the facets to the left of the list or the search bar at the top. Results can be filtered by service or team facets. For more information about how results
+  are linked to Datadog services and teams, see [Link findings to Datadog services and teams][18].
 
 Every row represents a unique library and version combination. Each combination is associated with the specific commit and branch that is selected in the filters at the top of the page (by default, the latest commit on the default branch of the repository you selected).
 
@@ -69,7 +78,17 @@ Click on a library with a vulnerability to open a side panel that contains infor
 
 <!-- {{< img src="code_security/software_composition_analysis/sca-violation.png" alt="Side panel for a SCA violation" style="width:80%;">}} -->
 
-### Library inventory
+### Automatically block risky changes with PR Gates
+
+Use [PR Gates][16] to enforce security standards on open source library usage before changes are merged. Datadog scans the dependencies introduced in each pull request, identifies any vulnerabilities or license violations above your configured severity threshold, and reports a pass or fail status to GitHub or Azure DevOps.
+
+You can configure PR Gates to block on:                                                                                                
+- **Security vulnerabilities**: libraries with known CVEs above a configured severity threshold.
+- **License violations**: libraries using licenses that do not comply with your organization's policy.
+
+PR Gates only fails and blocks a PR if the developer **introduces a new violation as part of that PR** — existing violations already present in the codebase before the PR was opened do not trigger a block. By default, checks are informational, but you can make them blocking in GitHub or Azure DevOps to prevent merging when critical issues are detected. GitLab support is currently in preview. For setup instructions, see [Set up PR Gate Rules][17].
+
+### Manage your library inventory
 
 The [Library Inventory][8] provides visibility into the third-party libraries detected across your codebase. Datadog collects this information from:
 
@@ -81,12 +100,25 @@ Use the Library Inventory to understand which dependencies you rely on, where th
 To learn more about how the inventory is generated, how Static and Runtime data differ, and how to interpret the library details (usage, vulnerabilities, licenses, versions, and OpenSSF score), see [Library Inventory][14].
 
 ### Library vulnerability context in APM
+
 SCA enriches the information Application Performance Monitoring (APM) is already collecting by flagging libraries that match with current vulnerability advisories. Potentially vulnerable services are highlighted directly in the **Security** view embedded in the [APM Software Catalog][10].
-- Whether it is reaching end of life
-- Whether it is a malicious package
-- The health of this library version based on its OpenSSF scorecard breakdown
-- Software supply chain & Software Bill of Materials (SBOM) management
 
+## Understanding SCA views
+
+The Repositories Explorer and Vulnerabilities Explorer serve complementary but distinct purposes.
+
+**Repositories Explorer** reflects a **point-in-time snapshot** of the libraries and vulnerabilities detected at the time of the scan. It shows which libraries were present in a given repository at a specific commit, along with any vulnerabilities that were known at scan time. This view does not update retroactively if new advisories are published after the scan runs.
+
+**Vulnerabilities Explorer** provides a **live view** that is continuously matched against the latest advisory database. If a new vulnerability advisory is published after a repository scan, it automatically appears in the Vulnerabilities Explorer, even if the repository has not been rescanned and even if the advisory targets an older commit. This means your vulnerability exposure is always up to date, regardless of when the last scan ran.
+
+> **Example:** If a scan runs at 10:00 AM and a CVE advisory for a library in your repository is published at 4:00 PM the same day, the Repositories Explorer for that commit will not show the CVE, but the Vulnerabilities Explorer will reflect it as soon as the advisory is available in Datadog's database.
+
+### Retroactive advisory matching
+
+Datadog automatically applies new advisories to all existing scan results, including results from older commits. This means:
+- You do not need to trigger a new scan for a newly published CVE to be reflected in your vulnerability posture.
+- The Vulnerabilities Explorer always shows the most current risk picture based on your last known library inventory.
+- The Repositories Explorer remains a historical record of what was known at scan time.
 
 ### Vulnerability lifecycle
 Vulnerabilities detected in libraries by SCA **at runtime** are closed by Datadog after a certain period, depending on the service's usage of the vulnerable library.
@@ -102,12 +134,19 @@ Libraries that are loaded more than 1 hour after the service has started.
 - **Cold Libraries:**
 Libraries from services that are alive for less than 2 hours (such as jobs).
   - **When vulnerabilities are auto-closed by Datadog:** After 5 days, if they have not been detected again during this period.
+  
+## SCA language support
 
-<!-- ### Remediation
+Software Composition Analysis (SCA) supports the following languages:
+
+{{< partial name="code_security/sca-lang-support.html" >}}
 
-The Vulnerability Explorer offers remediation recommendations for detected vulnerabilities. Recommendations enable you to change the status of a vulnerability, assign it to a team member for review, and create a Jira issue for tracking. They also include a collection of links and references to websites or information sources to help you understand the context behind each vulnerability. -->
+## Next steps
 
-<!-- **Note**: To create Jira issues for SCA vulnerabilities, you must configure the Jira integration, and have the `manage_integrations` permission. For detailed instructions, see the [Jira integration][11] documentation, as well as the [Role Based Access Control][9] documentation. -->
+1. [Set up Static SCA][1] to scan your repositories.
+2. [Set up Runtime SCA][2] to detect libraries loaded by your running services.
+3. Review and triage findings in the [Vulnerabilities Explorer][11].
+4. Configure [PR Gates][16] to block risky changes before they are merged.
 
 ## Further Reading
 
@@ -126,3 +165,6 @@ The Vulnerability Explorer offers remediation recommendations for detected vulne
 [13]: /security/code_security/software_composition_analysis/setup_static/#upload-third-party-sbom-to-datadog
 [14]: /security/code_security/software_composition_analysis/library_inventory
 [15]: /security/code_security/software_composition_analysis/#set-up-sca
+[16]: /pr_gates/
+[17]: /pr_gates/setup
+[18]: /security/code_security/software_composition_analysis/setup_static/?tab=github#link-findings-to-datadog-services-and-teams

From 4f6cdbe3d577c5e09b492beda6a4c2a3c6f59ab6 Mon Sep 17 00:00:00 2001
From: Gorka Vicente <gorka.vicente@datadoghq.com>
Date: Mon, 9 Mar 2026 18:46:49 +0100
Subject: [PATCH 02/16] Update
 content/en/security/code_security/software_composition_analysis/_index.md

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
---
 .../code_security/software_composition_analysis/_index.md      | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/content/en/security/code_security/software_composition_analysis/_index.md b/content/en/security/code_security/software_composition_analysis/_index.md
index 91c43627180..b2b5c558853 100644
--- a/content/en/security/code_security/software_composition_analysis/_index.md
+++ b/content/en/security/code_security/software_composition_analysis/_index.md
@@ -69,8 +69,7 @@ The [repositories explorer][12] provides a repository-centric view of all scan r
 
 Recommended steps for remediating detected vulnerabilities can be found in the side panel for each vulnerability in SCA. Steps are provided for upgrading the library to the safest (non-vulnerable) version, as well as the closest version.
 
-To filter your results, use the facets to the left of the list or the search bar at the top. Results can be filtered by service or team facets. For more information about how results
-  are linked to Datadog services and teams, see [Link findings to Datadog services and teams][18].
+To filter your results, use the facets to the left of the list or the search bar at the top. Results can be filtered by service or team facets. For more information about how results are linked to Datadog services and teams, see [Link findings to Datadog services and teams][18].
 
 Every row represents a unique library and version combination. Each combination is associated with the specific commit and branch that is selected in the filters at the top of the page (by default, the latest commit on the default branch of the repository you selected).
 

From 95c6800d405b7ed908c51de5b8250b1a427d552c Mon Sep 17 00:00:00 2001
From: Gorka Vicente <gorka.vicente@datadoghq.com>
Date: Mon, 9 Mar 2026 18:47:13 +0100
Subject: [PATCH 03/16] Update
 content/en/security/code_security/software_composition_analysis/_index.md

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
---
 .../code_security/software_composition_analysis/_index.md       | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/content/en/security/code_security/software_composition_analysis/_index.md b/content/en/security/code_security/software_composition_analysis/_index.md
index b2b5c558853..0b42233c20c 100644
--- a/content/en/security/code_security/software_composition_analysis/_index.md
+++ b/content/en/security/code_security/software_composition_analysis/_index.md
@@ -81,7 +81,7 @@ Click on a library with a vulnerability to open a side panel that contains infor
 
 Use [PR Gates][16] to enforce security standards on open source library usage before changes are merged. Datadog scans the dependencies introduced in each pull request, identifies any vulnerabilities or license violations above your configured severity threshold, and reports a pass or fail status to GitHub or Azure DevOps.
 
-You can configure PR Gates to block on:                                                                                                
+You can configure PR Gates to block on:
 - **Security vulnerabilities**: libraries with known CVEs above a configured severity threshold.
 - **License violations**: libraries using licenses that do not comply with your organization's policy.
 

From 32ecde7f4590a92a6eb44bdde41b0072b06b74c8 Mon Sep 17 00:00:00 2001
From: Gorka Vicente <gorka.vicente@datadoghq.com>
Date: Mon, 9 Mar 2026 18:48:08 +0100
Subject: [PATCH 04/16] Update
 content/en/security/code_security/software_composition_analysis/_index.md

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
---
 .../code_security/software_composition_analysis/_index.md       | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/content/en/security/code_security/software_composition_analysis/_index.md b/content/en/security/code_security/software_composition_analysis/_index.md
index 0b42233c20c..8b95f56aaa5 100644
--- a/content/en/security/code_security/software_composition_analysis/_index.md
+++ b/content/en/security/code_security/software_composition_analysis/_index.md
@@ -63,7 +63,7 @@ To assist in prioritizing remediation, Datadog modifies the base CVSS score into
 
 ### View findings by repository
 
-The [repositories explorer][12] provides a repository-centric view of all scan results across Static Code Analysis (SAST), Software Composition Analysis (SCA), Secrets, and Infrastructure as Code (IaC).  Click on a repository to analyze **Library Vulnerabilities** and **Library Catalog** results from SCA scoped to your chosen branch and commit.
+The [repositories explorer][12] provides a repository-centric view of all scan results across Static Code Analysis (SAST), Software Composition Analysis (SCA), Secrets Scanning, and Infrastructure as Code (IaC).  Click on a repository to analyze **Library Vulnerabilities** and **Library Catalog** results from SCA scoped to your chosen branch and commit.
 * The **Library Vulnerabilities** tab contains the vulnerable library versions found by Datadog SCA
 * The **Library Catalog** tab contains all of the libraries (vulnerable or not) found by Datadog SCA.
 

From 8354b7dfc6806fac3c6a33c54a190f76121f2caa Mon Sep 17 00:00:00 2001
From: Gorka Vicente <gorka.vicente@datadoghq.com>
Date: Mon, 9 Mar 2026 18:48:25 +0100
Subject: [PATCH 05/16] Update
 content/en/security/code_security/software_composition_analysis/_index.md

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
---
 .../code_security/software_composition_analysis/_index.md        | 1 -
 1 file changed, 1 deletion(-)

diff --git a/content/en/security/code_security/software_composition_analysis/_index.md b/content/en/security/code_security/software_composition_analysis/_index.md
index 8b95f56aaa5..ca97ebf51b8 100644
--- a/content/en/security/code_security/software_composition_analysis/_index.md
+++ b/content/en/security/code_security/software_composition_analysis/_index.md
@@ -163,7 +163,6 @@ Software Composition Analysis (SCA) supports the following languages:
 [12]: https://app.datadoghq.com/ci/code-analysis
 [13]: /security/code_security/software_composition_analysis/setup_static/#upload-third-party-sbom-to-datadog
 [14]: /security/code_security/software_composition_analysis/library_inventory
-[15]: /security/code_security/software_composition_analysis/#set-up-sca
 [16]: /pr_gates/
 [17]: /pr_gates/setup
 [18]: /security/code_security/software_composition_analysis/setup_static/?tab=github#link-findings-to-datadog-services-and-teams

From 74bf11d9861408caa13e823834252136620545cd Mon Sep 17 00:00:00 2001
From: Gorka Vicente <gorka.vicente@datadoghq.com>
Date: Tue, 10 Mar 2026 11:14:01 +0100
Subject: [PATCH 06/16] Update
 content/en/security/code_security/software_composition_analysis/_index.md

---
 .../code_security/software_composition_analysis/_index.md       | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/content/en/security/code_security/software_composition_analysis/_index.md b/content/en/security/code_security/software_composition_analysis/_index.md
index ca97ebf51b8..42a88a1c799 100644
--- a/content/en/security/code_security/software_composition_analysis/_index.md
+++ b/content/en/security/code_security/software_composition_analysis/_index.md
@@ -42,7 +42,7 @@ SCA supports two complementary detection modes:
 
 Datadog SCA uses a curated proprietary database. The database is sourced from Open Source Vulnerabilities (OSV), National Vulnerability Database (NVD), GitHub advisories, and other language ecosystem advisories, as well as Datadog's own Security Research team's findings. There is a maximum of 2 hours between when a new vulnerability is published and when it appears in Datadog, with emerging vulnerabilities typically appearing in Datadog within minutes.
 
-New advisories are automatically matched against all existing scan results, including older commits, without requiring a new scan. See [Understanding SCA views](#understanding-sca-views) for more details.
+When Datadog ingests a new advisory, it is matched against your last known library inventory and appears in the Vulnerabilities Explorer even if you haven’t rescanned the repository. The Repositories Explorer is commit-scoped and reflects what was known at the time the scan ran—so a scan that executed before Datadog ingested the advisory will not show that newly published advisory in the Repositories Explorer for that commit. See [Understanding SCA views](#understanding-sca-views) for more details.
 
 ## Key capabilities
 

From b57c6511a5ba77002c8ac1dea5a65ec4d612ca19 Mon Sep 17 00:00:00 2001
From: Gorka Vicente <gorka.vicente@datadoghq.com>
Date: Tue, 10 Mar 2026 11:21:17 +0100
Subject: [PATCH 07/16] Update _index.md

Applied some minor improvements suggested by Copilot.
---
 .../code_security/software_composition_analysis/_index.md  | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/content/en/security/code_security/software_composition_analysis/_index.md b/content/en/security/code_security/software_composition_analysis/_index.md
index 42a88a1c799..c68b6bbd7fc 100644
--- a/content/en/security/code_security/software_composition_analysis/_index.md
+++ b/content/en/security/code_security/software_composition_analysis/_index.md
@@ -63,7 +63,7 @@ To assist in prioritizing remediation, Datadog modifies the base CVSS score into
 
 ### View findings by repository
 
-The [repositories explorer][12] provides a repository-centric view of all scan results across Static Code Analysis (SAST), Software Composition Analysis (SCA), Secrets Scanning, and Infrastructure as Code (IaC).  Click on a repository to analyze **Library Vulnerabilities** and **Library Catalog** results from SCA scoped to your chosen branch and commit.
+The [repositories explorer][12] provides a repository-centric view of all scan results across Static Code Analysis (SAST), Software Composition Analysis (SCA), Secrets Scanning, and Infrastructure as Code (IaC). Click on a repository to analyze **Library Vulnerabilities** and **Library Catalog** results from SCA scoped to your chosen branch and commit.
 * The **Library Vulnerabilities** tab contains the vulnerable library versions found by Datadog SCA
 * The **Library Catalog** tab contains all of the libraries (vulnerable or not) found by Datadog SCA.
 
@@ -85,7 +85,7 @@ You can configure PR Gates to block on:
 - **Security vulnerabilities**: libraries with known CVEs above a configured severity threshold.
 - **License violations**: libraries using licenses that do not comply with your organization's policy.
 
-PR Gates only fails and blocks a PR if the developer **introduces a new violation as part of that PR** — existing violations already present in the codebase before the PR was opened do not trigger a block. By default, checks are informational, but you can make them blocking in GitHub or Azure DevOps to prevent merging when critical issues are detected. GitLab support is currently in preview. For setup instructions, see [Set up PR Gate Rules][17].
+PR Gates only fails and blocks a PR if the developer **introduces a new violation as part of that PR**—existing violations already present in the codebase before the PR was opened do not trigger a block. By default, checks are informational, but you can make them blocking in GitHub or Azure DevOps to prevent merging when critical issues are detected. GitLab support is currently in preview. For setup instructions, see [Set up PR Gate Rules][17].
 
 ### Manage your library inventory
 
@@ -100,7 +100,7 @@ To learn more about how the inventory is generated, how Static and Runtime data
 
 ### Library vulnerability context in APM
 
-SCA enriches the information Application Performance Monitoring (APM) is already collecting by flagging libraries that match with current vulnerability advisories. Potentially vulnerable services are highlighted directly in the **Security** view embedded in the [APM Software Catalog][10].
+SCA enriches the information Application Performance Monitoring (APM) is already collecting by flagging libraries that match against current vulnerability advisories. Potentially vulnerable services are highlighted directly in the **Security** view embedded in the [APM Software Catalog][10].
 
 ## Understanding SCA views
 
@@ -155,7 +155,6 @@ Software Composition Analysis (SCA) supports the following languages:
 [1]: /security/code_security/software_composition_analysis/setup_static/
 [2]: /security/code_security/software_composition_analysis/setup_runtime/
 [3]: https://app.datadoghq.com/security/appsec/vm
-[5]: /getting_started/code_security/
 [8]: https://app.datadoghq.com/security/appsec/inventory/libraries
 [9]: /account_management/rbac/permissions/#integrations
 [10]: https://app.datadoghq.com/services?lens=Security

From 508974bdb71ecaaea117a2733633c4e813c3bb6e Mon Sep 17 00:00:00 2001
From: Gorka Vicente <gorka.vicente@datadoghq.com>
Date: Tue, 10 Mar 2026 11:28:34 +0100
Subject: [PATCH 08/16] Update
 content/en/security/code_security/software_composition_analysis/_index.md

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
---
 .../code_security/software_composition_analysis/_index.md       | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/content/en/security/code_security/software_composition_analysis/_index.md b/content/en/security/code_security/software_composition_analysis/_index.md
index c68b6bbd7fc..ce6554b73be 100644
--- a/content/en/security/code_security/software_composition_analysis/_index.md
+++ b/content/en/security/code_security/software_composition_analysis/_index.md
@@ -85,7 +85,7 @@ You can configure PR Gates to block on:
 - **Security vulnerabilities**: libraries with known CVEs above a configured severity threshold.
 - **License violations**: libraries using licenses that do not comply with your organization's policy.
 
-PR Gates only fails and blocks a PR if the developer **introduces a new violation as part of that PR**—existing violations already present in the codebase before the PR was opened do not trigger a block. By default, checks are informational, but you can make them blocking in GitHub or Azure DevOps to prevent merging when critical issues are detected. GitLab support is currently in preview. For setup instructions, see [Set up PR Gate Rules][17].
+PR Gates only fails and blocks a PR if the developer **introduces a new violation as part of that PR**—existing violations already present in the codebase before the PR and its branch were created do not trigger a block. By default, checks are informational, but you can make them blocking in GitHub or Azure DevOps to prevent merging when critical issues are detected. GitLab support is currently in preview. For setup instructions, see [Set up PR Gate Rules][17].
 
 ### Manage your library inventory
 

From 4c32f1c1c79c3385c9e7b7cabfc5260273b8f6b0 Mon Sep 17 00:00:00 2001
From: Gorka Vicente <gorka.vicente@datadoghq.com>
Date: Tue, 10 Mar 2026 11:37:53 +0100
Subject: [PATCH 09/16] Update
 content/en/security/code_security/software_composition_analysis/_index.md

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
---
 .../code_security/software_composition_analysis/_index.md        | 1 -
 1 file changed, 1 deletion(-)

diff --git a/content/en/security/code_security/software_composition_analysis/_index.md b/content/en/security/code_security/software_composition_analysis/_index.md
index ce6554b73be..674c122e770 100644
--- a/content/en/security/code_security/software_composition_analysis/_index.md
+++ b/content/en/security/code_security/software_composition_analysis/_index.md
@@ -133,7 +133,6 @@ Libraries that are loaded more than 1 hour after the service has started.
 - **Cold Libraries:**
 Libraries from services that are alive for less than 2 hours (such as jobs).
   - **When vulnerabilities are auto-closed by Datadog:** After 5 days, if they have not been detected again during this period.
-  
 ## SCA language support
 
 Software Composition Analysis (SCA) supports the following languages:

From 3c21f476821cca81c2fbeb3bc993fe06f2b05f9f Mon Sep 17 00:00:00 2001
From: Gorka Vicente <gorka.vicente@datadoghq.com>
Date: Tue, 10 Mar 2026 11:38:28 +0100
Subject: [PATCH 10/16] Update
 content/en/security/code_security/software_composition_analysis/_index.md

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
---
 .../code_security/software_composition_analysis/_index.md       | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/content/en/security/code_security/software_composition_analysis/_index.md b/content/en/security/code_security/software_composition_analysis/_index.md
index 674c122e770..75fc931078d 100644
--- a/content/en/security/code_security/software_composition_analysis/_index.md
+++ b/content/en/security/code_security/software_composition_analysis/_index.md
@@ -48,7 +48,7 @@ When Datadog ingests a new advisory, it is matched against your last known libra
 
 ### Review and prioritize vulnerabilities
 
-The [vulnerabilities explorer][11] provides a vulnerability-centric view of library vulnerabilities detected by SCA, alongside vulnerabilities detected by other Code Security capabilities (SAST, IAST, Secrets Scanning, and IaC). All vulnerabilities in the explorer are either detected on the default branch at the last commit of a scanned repository, or are affecting a running service.
+The [Vulnerabilities Explorer][11] provides a vulnerability-centric view of library vulnerabilities detected by SCA, alongside vulnerabilities detected by other Code Security capabilities (SAST, IAST, Secrets Scanning, and IaC). All vulnerabilities in the explorer are either detected on the default branch at the last commit of a scanned repository, or are affecting a running service.
 
 To assist in prioritizing remediation, Datadog modifies the base CVSS score into the **Datadog Severity Score** by incorporating runtime context and exploitability signals. These factors help distinguish theoretical risk from vulnerabilities that are more likely to be exploited in real-world environments. The table below describes how each factor influences the final score.
 

From c286375a3c0f5ce8822c12722ffd8faff5517e21 Mon Sep 17 00:00:00 2001
From: Gorka Vicente <gorka.vicente@datadoghq.com>
Date: Tue, 10 Mar 2026 12:01:59 +0100
Subject: [PATCH 11/16] Update _index.md

Applied Copilot suggestions.
---
 .../code_security/software_composition_analysis/_index.md  | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/content/en/security/code_security/software_composition_analysis/_index.md b/content/en/security/code_security/software_composition_analysis/_index.md
index 75fc931078d..bad37d7cb4a 100644
--- a/content/en/security/code_security/software_composition_analysis/_index.md
+++ b/content/en/security/code_security/software_composition_analysis/_index.md
@@ -37,7 +37,7 @@ Using Software Composition Analysis provides organizations with the following be
 ## How it works
 
 SCA supports two complementary detection modes:
-- **Static detection** scans your repositories by analyzing dependency files (lockfiles and manifests) at each commit. Scans run automatically on every push to a connected repository, or can be triggered from your CI/CD pipeline. See [Set up Static SCA][1] to get started.
+- **Static detection** scans your repositories by analyzing dependency files (lockfiles and manifests). Scans run when changes are committed that update supported dependency manifests/lockfiles in an enabled repository. You can also run SCA in your CI/CD pipeline (CI jobs are supported on <code>push</code> event triggers). See [Set up Static SCA][1] to get started.
 - **Runtime detection** identifies libraries that are actually loaded and used by your services at runtime, using instrumentation from Datadog APM. See [Set up Runtime SCA][2] to get started.
 
 Datadog SCA uses a curated proprietary database. The database is sourced from Open Source Vulnerabilities (OSV), National Vulnerability Database (NVD), GitHub advisories, and other language ecosystem advisories, as well as Datadog's own Security Research team's findings. There is a maximum of 2 hours between when a new vulnerability is published and when it appears in Datadog, with emerging vulnerabilities typically appearing in Datadog within minutes.
@@ -50,6 +50,8 @@ When Datadog ingests a new advisory, it is matched against your last known libra
 
 The [Vulnerabilities Explorer][11] provides a vulnerability-centric view of library vulnerabilities detected by SCA, alongside vulnerabilities detected by other Code Security capabilities (SAST, IAST, Secrets Scanning, and IaC). All vulnerabilities in the explorer are either detected on the default branch at the last commit of a scanned repository, or are affecting a running service.
 
+#### Datadog severity score
+
 To assist in prioritizing remediation, Datadog modifies the base CVSS score into the **Datadog Severity Score** by incorporating runtime context and exploitability signals. These factors help distinguish theoretical risk from vulnerabilities that are more likely to be exploited in real-world environments. The table below describes how each factor influences the final score.
 
 | Risk factor                       | How it is evaluated                                                  | Impact on the score                                    |
@@ -85,7 +87,7 @@ You can configure PR Gates to block on:
 - **Security vulnerabilities**: libraries with known CVEs above a configured severity threshold.
 - **License violations**: libraries using licenses that do not comply with your organization's policy.
 
-PR Gates only fails and blocks a PR if the developer **introduces a new violation as part of that PR**—existing violations already present in the codebase before the PR and its branch were created do not trigger a block. By default, checks are informational, but you can make them blocking in GitHub or Azure DevOps to prevent merging when critical issues are detected. GitLab support is currently in preview. For setup instructions, see [Set up PR Gate Rules][17].
+PR Gates only fails and blocks a PR if the developer **introduces a new violation as part of that PR**—existing violations already present in the codebase before the PR and its branch were created do not trigger a block. By default, checks are informational, but you can make them blocking in GitHub or Azure DevOps to prevent merging when critical issues are detected. For setup instructions, see [Set up PR Gate Rules][17].
 
 ### Manage your library inventory
 
@@ -133,6 +135,7 @@ Libraries that are loaded more than 1 hour after the service has started.
 - **Cold Libraries:**
 Libraries from services that are alive for less than 2 hours (such as jobs).
   - **When vulnerabilities are auto-closed by Datadog:** After 5 days, if they have not been detected again during this period.
+
 ## SCA language support
 
 Software Composition Analysis (SCA) supports the following languages:

From c53f2874277312ede27f1fafb043d89154a06b78 Mon Sep 17 00:00:00 2001
From: Gorka Vicente <gorka.vicente@datadoghq.com>
Date: Tue, 10 Mar 2026 12:06:39 +0100
Subject: [PATCH 12/16] Update _index.md

---
 .../software_composition_analysis/setup_static/_index.md      | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/content/en/security/code_security/software_composition_analysis/setup_static/_index.md b/content/en/security/code_security/software_composition_analysis/setup_static/_index.md
index 1d33c5e9cc4..71423f149a7 100644
--- a/content/en/security/code_security/software_composition_analysis/setup_static/_index.md
+++ b/content/en/security/code_security/software_composition_analysis/setup_static/_index.md
@@ -41,7 +41,7 @@ Datadog SCA scans libraries in the following languages using dependency manifest
 **Note:** If both a `packages.lock.json` and a `.csproj` file are present, the `packages.lock.json` takes precedence and provides more precise version resolution.
 
 ## Select where to run static SCA scans
-By default, scans are automatically run upon each commit to a lockfile within an enabled repository. Default branch results are updated every hour to detect new vulnerabilities on existing packages.
+By default, scans run when changes are committed that update supported dependency manifests/lockfiles in an enabled repository. You can also run SCA in your CI/CD pipeline (CI jobs are supported on <code>push</code> event triggers).
 
 ### Scan with Datadog-hosted scanning
 
@@ -385,4 +385,4 @@ Datadog stores findings in accordance with our [Data Rentention Periods](https:/
 [26]: https://docs.datadoghq.com/account_management/teams/
 [101]: https://docs.datadoghq.com/software_catalog/service_definitions/v3-0/
 [102]: https://docs.datadoghq.com/internal_developer_portal/software_catalog/entity_model/?tab=v30#codelocations
-[103]: https://docs.datadoghq.com/data_security/data_retention_periods/
\ No newline at end of file
+[103]: https://docs.datadoghq.com/data_security/data_retention_periods/

From 93684ae0a5558cb8b0b08e8d819d53ab4a20a214 Mon Sep 17 00:00:00 2001
From: Gorka Vicente <gorka.vicente@datadoghq.com>
Date: Tue, 10 Mar 2026 12:30:52 +0100
Subject: [PATCH 13/16] Update
 content/en/security/code_security/software_composition_analysis/setup_static/_index.md

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
---
 .../software_composition_analysis/setup_static/_index.md        | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/content/en/security/code_security/software_composition_analysis/setup_static/_index.md b/content/en/security/code_security/software_composition_analysis/setup_static/_index.md
index 71423f149a7..0a24ba2f9c1 100644
--- a/content/en/security/code_security/software_composition_analysis/setup_static/_index.md
+++ b/content/en/security/code_security/software_composition_analysis/setup_static/_index.md
@@ -41,7 +41,7 @@ Datadog SCA scans libraries in the following languages using dependency manifest
 **Note:** If both a `packages.lock.json` and a `.csproj` file are present, the `packages.lock.json` takes precedence and provides more precise version resolution.
 
 ## Select where to run static SCA scans
-By default, scans run when changes are committed that update supported dependency manifests/lockfiles in an enabled repository. You can also run SCA in your CI/CD pipeline (CI jobs are supported on <code>push</code> event triggers).
+By default, scans run when changes are committed that update supported dependency manifests/lockfiles in an enabled repository. You can also run SCA in your CI/CD pipeline (CI jobs are supported on `push` events).
 
 ### Scan with Datadog-hosted scanning
 

From f8b681281aebd727d32197bcac3ac9b8d4af6094 Mon Sep 17 00:00:00 2001
From: Gorka Vicente <gorka.vicente@datadoghq.com>
Date: Tue, 10 Mar 2026 12:31:28 +0100
Subject: [PATCH 14/16] Update
 content/en/security/code_security/software_composition_analysis/_index.md

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
---
 .../code_security/software_composition_analysis/_index.md       | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/content/en/security/code_security/software_composition_analysis/_index.md b/content/en/security/code_security/software_composition_analysis/_index.md
index bad37d7cb4a..2c28f683abd 100644
--- a/content/en/security/code_security/software_composition_analysis/_index.md
+++ b/content/en/security/code_security/software_composition_analysis/_index.md
@@ -65,7 +65,7 @@ To assist in prioritizing remediation, Datadog modifies the base CVSS score into
 
 ### View findings by repository
 
-The [repositories explorer][12] provides a repository-centric view of all scan results across Static Code Analysis (SAST), Software Composition Analysis (SCA), Secrets Scanning, and Infrastructure as Code (IaC). Click on a repository to analyze **Library Vulnerabilities** and **Library Catalog** results from SCA scoped to your chosen branch and commit.
+The [Repositories Explorer][12] provides a repository-centric view of all scan results across Static Code Analysis (SAST), Software Composition Analysis (SCA), Secrets Scanning, and Infrastructure as Code (IaC). Click on a repository to analyze **Library Vulnerabilities** and **Library Catalog** results from SCA scoped to your chosen branch and commit.
 * The **Library Vulnerabilities** tab contains the vulnerable library versions found by Datadog SCA
 * The **Library Catalog** tab contains all of the libraries (vulnerable or not) found by Datadog SCA.
 

From 2574669c40ea288ab78f47e0eb5d3aeeb6c0f47c Mon Sep 17 00:00:00 2001
From: Gorka Vicente <gorka.vicente@datadoghq.com>
Date: Tue, 10 Mar 2026 12:32:33 +0100
Subject: [PATCH 15/16] Update
 content/en/security/code_security/software_composition_analysis/_index.md

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
---
 .../code_security/software_composition_analysis/_index.md       | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/content/en/security/code_security/software_composition_analysis/_index.md b/content/en/security/code_security/software_composition_analysis/_index.md
index 2c28f683abd..a9d2054bc54 100644
--- a/content/en/security/code_security/software_composition_analysis/_index.md
+++ b/content/en/security/code_security/software_composition_analysis/_index.md
@@ -87,7 +87,7 @@ You can configure PR Gates to block on:
 - **Security vulnerabilities**: libraries with known CVEs above a configured severity threshold.
 - **License violations**: libraries using licenses that do not comply with your organization's policy.
 
-PR Gates only fails and blocks a PR if the developer **introduces a new violation as part of that PR**—existing violations already present in the codebase before the PR and its branch were created do not trigger a block. By default, checks are informational, but you can make them blocking in GitHub or Azure DevOps to prevent merging when critical issues are detected. For setup instructions, see [Set up PR Gate Rules][17].
+PR Gates marks a PR check as failed only if the developer **introduces a new violation as part of that PR**—existing violations already present in the codebase before the PR and its branch were created do not cause the check to fail. By default, failed checks are informational and do not block merging, but you can configure them as blocking in GitHub or Azure DevOps to prevent merging when critical issues are detected. For setup instructions, see [Set up PR Gate Rules][17].
 
 ### Manage your library inventory
 

From aeee3765ef1d4400de96c7d9d77f35ba2e36cbe0 Mon Sep 17 00:00:00 2001
From: Gorka Vicente <gorka.vicente@datadoghq.com>
Date: Tue, 10 Mar 2026 12:39:18 +0100
Subject: [PATCH 16/16] Update _index.md

---
 .../code_security/software_composition_analysis/_index.md       | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/content/en/security/code_security/software_composition_analysis/_index.md b/content/en/security/code_security/software_composition_analysis/_index.md
index a9d2054bc54..a0180fa97a4 100644
--- a/content/en/security/code_security/software_composition_analysis/_index.md
+++ b/content/en/security/code_security/software_composition_analysis/_index.md
@@ -42,7 +42,7 @@ SCA supports two complementary detection modes:
 
 Datadog SCA uses a curated proprietary database. The database is sourced from Open Source Vulnerabilities (OSV), National Vulnerability Database (NVD), GitHub advisories, and other language ecosystem advisories, as well as Datadog's own Security Research team's findings. There is a maximum of 2 hours between when a new vulnerability is published and when it appears in Datadog, with emerging vulnerabilities typically appearing in Datadog within minutes.
 
-When Datadog ingests a new advisory, it is matched against your last known library inventory and appears in the Vulnerabilities Explorer even if you haven’t rescanned the repository. The Repositories Explorer is commit-scoped and reflects what was known at the time the scan ran—so a scan that executed before Datadog ingested the advisory will not show that newly published advisory in the Repositories Explorer for that commit. See [Understanding SCA views](#understanding-sca-views) for more details.
+When Datadog ingests a new advisory, it is matched against your last known library inventory and appears in the Vulnerabilities Explorer even if you have not rescanned the repository. The Repositories Explorer is commit-scoped and reflects what was known at the time the scan ran—so a scan that executed before Datadog ingested the advisory will not show that newly published advisory in the Repositories Explorer for that commit. See [Understanding SCA views](#understanding-sca-views) for more details.
 
 ## Key capabilities