Parts 1 and 2 covered the code you write — secrets and static vulnerabilities in app.py . But modern applications are mostly made up of code you didn't write. Every package in requirements.txt is someone else's code running in your app. If any of those packages have known vulnerabilities, your app inherits them. That's what SCA is for. Code repo: https://github.com/pkkht/devsecops-demo/ What SCA is SCA stands for Software Composition Analysis. It looks at your dependency list, checks each package version against public vulnerability databases, and reports any known CVEs. It doesn't analyse your code — it analyses what your code depends on. This matters because a lot of real-world breaches don't come from custom code at all. They come from a vulnerable library that nobody noticed was outdated. The tool: pip-audit pip-audit is maintained by the Python Packaging Authority (PyPA) — the same group that maintains pip itself.…