Black Duck SCA Reviews

Name: Black Duck SCA
Brand: Black Duck
Rating: 3.8 (22 reviews)

3.8 out of 5

22 reviews
85% willing to recommend

What is Black Duck SCA?

Black Duck is an essential tool for software composition analysis and license compliance. It identifies vulnerabilities effectively and supports security management in DevOps environments, offering integration, performance stability, and community support.

Get the Black Duck SCA Buyer's Guide and find out what your peers are saying about Black Duck SCA, GitLab, Snyk and more!

Black Duck SCA is the #1 ranked solution in top Software Composition Analysis (SCA) solutions. PeerSpot users give Black Duck SCA an average rating of 7.6 out of 10. Black Duck SCA is most commonly compared to GitLab: Black Duck SCA vs GitLab. Black Duck SCA is popular among the large enterprise segment, accounting for 70% of users researching this solution on PeerSpot. The top industry researching this solution are professionals from a financial services firm, accounting for 18% of all views.

Helped 867,370 peers since 2012

Featured Black Duck SCA reviews

Aaron P

DevOps Engineer at a manufacturing company with 1,001-5,000 employees

The only thing I don't like about the product is that it is quite expensive and it is not very feasible as an open-source platform. One of the other things that I hate about the product stems from my dislike of contacting the support team of Black Duck to know if there are some issues since debugging some issues can be quite difficult. I don't find reliable or feasible documents to help me debug all those issues. The solution's pricing model and documentation areas of concern where improvement is needed. In our company, we get some issues or errors when we run a pipeline, and debugging those errors can be tedious and time-consuming. To minimize the time for debugging errors, I feel that Black Duck needs to add some documentation or something that will make it easy for users to debug the errors instead of seeking help from Black Duck's support team every time. Black Duck can add features, like viewing the vulnerability, to help users figure out the next step if they detect some vulnerability while also providing them some steps to help them follow some remedial steps, along with an explanation of measures to mitigate such issues. Black Duck's UI or server doesn't provide functionality to help users view the vulnerability, which is a process that needs to be automated. The solution's scalability is an area that needs to improve.

Read full review

Saravanan_Radhakrishnan

Senior Manager at Happiest Minds Technologies

The product enables other applications to be secure. We use it to onboard 400 to 500 applications into the DevOps platform, protect them, and have a secure environment. The tool integrates well with different technologies, application stacks, and databases. The APIs are available. We can read the blogs in the community for open-source compliance and security. The community feeds are important. Black Duck is a leader in Gartner. It is a reliable solution.

Read full review

Sagar Mody

Solutions Architect at a tech services company with 10,001+ employees

It's still a bit inconsistent. For example, sometimes a scan might reveal components or vulnerabilities, and the next day they might not show up. There's a lack of consistency at times. Of course, this could sometimes be due to new vulnerabilities being identified in the public domain after a scan. So, consistent inputs and more streamlined dependency management are needed. It doesn’t clearly show whether vulnerabilities are from direct or transitive dependencies. A clear classification between direct and indirect vulnerabilities is crucial. If I'm looking to improve my product, I need to know out of 'x' vulnerabilities, how many are direct dependencies. With direct dependencies, I can take action, like replacing a component. But with transitive dependencies, we are helpless at times. Often, we have to raise exceptions and work around them. A clear classification between direct and indirect dependencies is something I'd like to see improved.

Read full review

Black Duck SCA mindshare

As of September 2025, the mindshare of Black Duck SCA in the Software Composition Analysis (SCA) category stands at 16.7%, down from 22.4% compared to the previous year, according to calculations based on PeerSpot user engagement data.

Software Composition Analysis (SCA) Market Share Distribution
Product	Market Share (%)
Black Duck	16.7%
Snyk	13.1%
JFrog Xray	10.1%
Other	60.1%

Software Composition Analysis (SCA)

PeerResearch reports based on Black Duck SCA reviews

Type	Title	Date
Category	Software Composition Analysis (SCA)	Sep 15, 2025	Download
Product	Reviews, tips, and advice from real users	Sep 15, 2025	Download
Comparison	Black Duck SCA vs Snyk	Sep 15, 2025	Download
Comparison	Black Duck SCA vs Veracode	Sep 15, 2025	Download
Comparison	Black Duck SCA vs Sonatype Lifecycle	Sep 15, 2025	Download

Title	Rating	Mindshare	Recommending
GitLab	4.2	4.3%	97%	86 interviews Add to research
Snyk	4.0	13.1%	100%	48 interviews Add to research

Valuable Features

Black Duck SCA's automatic component analysis, vulnerability scanning, and comprehensive knowledge base are highly valued. Seamless Docker integration identifies vulnerabilities promptly, while effective binary scanning aids thorough detection. The interface and policy management simplify use across teams. Importantly, its component management and dependency visualization enhance security. Robust license compliance and open-source analysis contribute to its industry recognition for reliability and effectiveness.

"Black Duck's ability to identify dependencies very accurately has been most valuable in identifying and mitigating risks."
"The most valuable feature of Black Duck is the composition analysis feature, which is effective for security risk management."
"The automated code scanning feature and Black Duck's integration with our development tools have enhanced our software compliance process and overall audit readiness."

Room for Improvement

Black Duck SCA users highlight the need for enhanced integration with tools like IntelliJ IDEA, faster scanning, and simplified setup. Fragmented documentation, complex configuration, and high pricing are recurring concerns. Enhanced UI flexibility and additional features such as improved reporting, vulnerability visibility, and APIs are desired. Users also seek improvements in false positives management, container scanning, and dependency classification. There's a call for on-prem options and better integration with Coverity for comprehensive analysis.

"The initial setup of Black Duck is complex. It's not very straightforward. You need a lot of support and hand-holding from the Black Duck team itself for it to be deployed successfully across the organization."
"Black Duck does not have the SBOM management part. I would like to see this feature added in the future."
"There are areas for improvement such as false positives and the scanning of containers."

ROI

Users report that Black Duck significantly improves their software management by identifying vulnerabilities early, ultimately leading to cost savings. They highlight its effectiveness in ensuring license compliance, which prevents potential legal costs and issues. Black Duck also offers a quick integration with existing workflows, further boosting productivity. Its comprehensive reporting capabilities facilitate better decision-making and risk management. Its robust security features and user-friendly interface contribute to increased efficiency and reduced operational risks.

Pricing

Black Duck SCA pricing varies by user count or code size, ranging from $10,000 to $70,000. Unlimited users are allowed for specific code sizes. Buyers should know their code size for better price negotiation. Licensing fees include free academy access, integrations, and plug-ins. The product is generally considered expensive, with several payment options available. Small organizations might find alternatives like WhiteSource more cost-effective due to Black Duck's emphasis on licensing compliance. Pricing feedback is mixed, with most finding it pricey.

"The price charged by Black Duck is exorbitant."
"The pricing is a little high."
"I rate the product's price one on a scale of one to ten, where one is a high price, and ten is a low price."

Popular Use Cases

Black Duck SCA is primarily used for software composition analysis, focusing on compliance, vulnerability assessment, and open-source software management. It assists in license compliance and risk assessment during audits and is integrated into DevSecOps pipelines. Users employ it for detecting non-compliance in third-party applications, checking code for vulnerabilities, and discovering commercial and open-source licenses. Its robustness and accuracy in analyzing source code and dependencies make it a preferred choice for comprehensive security management.

Service and Support

Technical support for Black Duck SCA receives mixed feedback. Response times vary, with some experiencing delays and others praising quick responses. Users appreciate the system's unique features but note challenges like mismatched workweeks and complex support processes. Various users find support fine, helpful, or good, while others mention occasional professional guidance. They highlight a need for improvement, especially in complex technical issues, response times, and prioritization logic. Some users recommend a more streamlined communication process.

Deployment

Experiences with Black Duck SCA's initial setup vary. Some find it straightforward with Docker and cloud options, especially using Azure or Google Cloud. Others find it complex and tedious, requiring support, especially for on-premises installations. Documentation can be lacking, requiring custom guides. Initial setup complexity often depends on company infrastructure and expertise. Some users benefit from SaaS models managed by Synopsys. Deployment times range from minutes to weeks, with some needing team support and training.

Scalability

Black Duck SCA exhibits high scalability across diverse environments, including cloud setups and CI/CD pipelines. Various teams utilize the platform concurrently, with scalability often rated between 7 and 9. While it handles enterprise requirements well, the licensing and resource allocation might restrict scalability. Some teams adapt by expanding resources to accommodate user growth. Pricing policies could pose challenges for temporary scalability needs.

Stability

Black Duck SCA is stable, reliable, and doesn't crash or freeze. Issues with response delays on some browsers are noted, which is expected for many applications. Users frequently praise its robust nature, devoid of bugs or glitches, ranking its stability between 7 and 10 out of 10. Moving to the Hub from another tool may present some bugs. Routine maintenance is necessary, but users consistently find it dependable without major issues.

These insights are based on the in-depth reviews provided by peers to help you make a better buying decision.

Download our Black Duck SCA Buyer's Guide for additional reliable information.

Review data by company size

By reviewers
Company Size	Count
Small Business	6
Large Enterprise	13

By reviewers

By visitors reading reviews
Company Size	Count
Small Business	442
Midsize Enterprise	264
Large Enterprise	1638

By visitors reading reviews

Top industries

By visitors reading reviews

Financial Services Firm

18%

Manufacturing Company

15%

Computer Software Company

13%

Insurance Company

Healthcare Company

Retailer

Educational Organization

University

Real Estate/Law Firm

Comms Service Provider

Energy/Utilities Company

Government

Media Company

Construction Company

Consumer Goods Company

Transportation Company

Non Profit

Performing Arts

Outsourcing Company

Legal Firm

Recreational Facilities/Services Company

Hospitality Company

Marketing Services Firm

Wholesaler/Distributor

Logistics Company

Pharma/Biotech Company

Aerospace/Defense Firm

Security Firm

Compare Black Duck SCA with alternative products

Learn more about Black Duck SCA

Organizations rely on Black Duck for seamless integration in CI/CD pipelines, thorough scanning of source and binary codes, and management of operational risks associated with open-source and commercial licenses. It plays a crucial role in security risk management and delivers a robust policy management framework. Users value its ease of use and reliable community support while benefiting from its comprehensive dependency visualization capabilities. Despite its strengths, there is room for enhancement in integration with other tools, UI friendliness, and reporting features.

What are Black Duck's key features?

Automated Component Analysis: Offers detailed insights into open-source components.
Vulnerability Scanning: Identifies and addresses potential security issues.
Knowledge Base: Extensive database for informed decision-making.
Policy Management: Comprehensive control over security policies.
Integration: Seamlessly fits into existing DevOps workflows.

What should users look for in ROI?

Security Assurance: Mitigates risks associated with open-source software.
Efficiency: Reduces time spent on manual auditing tasks.
License Compliance: Ensures compliance with open-source licenses.
Risk Management: Enhances operational risk management in software development.

Enterprise environments use Black Duck extensively for security, compliance, and risk management, ensuring software meets regulatory standards and mitigates vulnerabilities. Its implementation in specific industries aids in controlled and secure software development processes, underlining its role in maintaining rigorous security standards while delivering dependable performance.

Black Duck SCA was previously known as Blackduck Hub, Black Duck Protex, Black Duck Security Checker.

Black Duck SCA customers

Samsung, Siemens, ScienceLogic, BryterCX, Dynatrace

Product Categories

Software Composition Analysis (SCA)

Popular Comparisons

GitLab vs Black Duck SCA

Snyk vs Black Duck SCA

Veracode vs Black Duck SCA

Mend.io vs Black Duck SCA

JFrog Xray vs Black Duck SCA

Sonatype Lifecycle vs Black Duck SCA

Semgrep vs Black Duck SCA

Polaris Platform vs Black Duck SCA

ReversingLabs vs Black Duck SCA

FOSSA vs Black Duck SCA

Apiiro vs Black Duck SCA

CAST Highlight vs Black Duck SCA

Cycode vs Black Duck SCA

Checkmarx Software Composition Analysis vs Black Duck SCA

Sonatype Repository Firewall vs Black Duck SCA

See all alternatives

Black Duck SCA Reviews Summary
Author info	Rating	Review Summary
IP Head at a tech services company with 10,001+ employees	3.5	I find Black Duck to be robust and accurate, particularly in identifying dependencies and licenses, but it needs improvement in security vulnerability identification. It's pricier and complex to set up, impacting direct ROI assessment in some cases.
Director at a healthcare company with 10,001+ employees	3.0	I recommend Black Duck for its ability to identify software components and manage security, operational, and license risks effectively. While it excels in risk management, improvements are needed in addressing false positives, reporting, and container scanning.
Director at a healthcare company with 10,001+ employees	4.0	I use Black Duck primarily for software composition analysis. Its composition analysis and automated code scanning features are valuable for managing security risks and audit readiness. However, the absence of SBOM management is a notable drawback for me.
DevOps Engineer at a manufacturing company with 1,001-5,000 employees	3.5	As a DevOps engineer, I integrate Black Duck in our CI/CD pipeline for product vulnerability scans. The UI is valuable for easy integration, but improvements are needed in pricing, documentation, and scalability. Debugging can be challenging without adequate documentation.
Senior Manager at Happiest Minds Technologies	3.5	We use Black Duck for open-source security management in DevOps and DevSecOps, appreciating its integration capabilities and community resources. It effectively secures 400 to 500 applications, although more open APIs would enhance its functionality further.
Solutions Architect at a tech services company with 10,001+ employees	4.0	I use Synopsys Black Duck for security-focused project scans, identifying vulnerabilities through source code and binary analysis. It provides precise fixes and dependency insights, but sometimes lacks consistency, particularly in differentiating between direct and transitive vulnerabilities.
Project Manager at a manufacturing company with 11-50 employees	4.5	I use Black Duck to detect vulnerabilities in open-source software, valuing its effective binary file scanning. However, its reporting capabilities need improvement for clarity and comprehensiveness. Compared to competitors, it's superior in deployment, scalability, and its comprehensive vulnerability database.
Senior Quality Manager at a financial services firm with 11-50 employees	4.0	I use Black Duck to check open source software in our products. It efficiently scans for license compliance but can be cumbersome due to hold times and sometimes gives ambiguous results. I don't have experience with other solutions.

Black Duck SCA Reviews

What is Black Duck SCA?

Featured Black Duck SCA reviews

Black Duck SCA mindshare

PeerResearch reports based on Black Duck SCA reviews

Valuable Features

Room for Improvement

ROI

Pricing

Popular Use Cases

Service and Support

Deployment

Scalability

Stability

Review data by company size

Top industries

Compare Black Duck SCA with alternative products

Learn more about Black Duck SCA

Black Duck SCA customers

Related questions

Product Categories

Popular Comparisons