Modern applications are mostly other people's code. Software Composition Analysis reads your manifests and lockfiles — package.json, requirements.txt, go.mod, Cargo.toml, pom.xml — resolves the full transitive dependency tree, and checks each package against vulnerability databases (CVE / GHSA) and license metadata.
SCA answers questions your own source can't: is a transitively-pulled library subject to a published CVE, is a dependency pinned to a wildcard that could pull a malicious update, is a package abandoned, does a copyleft license create an obligation your legal team needs to know about. The 2021 Log4Shell incident is the canonical example — the vulnerable code was a dependency three levels deep, invisible to any tool that only read first-party code.
Because the dependency graph changes whenever you update a lockfile, SCA belongs in CI and in a scheduled re-scan: a package that was clean at merge time can have a CVE disclosed against it next week.