# Support for Dependency Scanning by Language (SCA)
Aikido performs a nightly SCA (Software Composition Analysis) scan of your dependencies for known CVEs and risky open-source licenses.
Below is a table of supported languages and their respective lockfiles. We recommend using lockfiles by default as they increase speed at build time, make your builds more reproducible and they are a first layer of defense against supply-chain attacks. Of course, lockfiles also help Aikido in finding vulnerable packages.
We scan for lockfiles both in the root as in all subfolders.
| Language | Lockfiles scanned |
| ------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| JavaScript
TypeScript
| npm-shrinkwrap.json
package-lock.json
yarn.lock
pnpm-lock.yaml
pnpm-lock.yml
bun.lock
deno.lock
libman.json
|
| PHP | composer.lock |
| Java | gradle.lockfile
build.gradle
pom.xml
.jar
.war
.ear
ivy.xml
|
| Swift | Package.resolved
Podfile.lock
|
| Go | go.mod |
| Python | Pipfile.lock
poetry.lock
uv.lock
pdm.lock
requirements.txt
requirements.lock
Conda: requirements.yml
|
| .NET | .csproj
.deps.json
packages.lock.json
packages.config
Packages.props
paket.lock
|
| Ruby | gemfile.lock |
| Rust | cargo.lock
cargo.toml
|
| Kotlin | build.gradle.kts, gradle.lockfile |
| Dart | pubspec.lock |
| Elixir | mix.lock |
| C/C++ | conan.lock
vcpkg.json
Lockfileless C/C++ dependencies (more info)
|
| Scala | build.sbt
plugins.sbt
dependencies.scala
libraries.scala
.sbt.lock
|
| Clojure | deps.edn
project.clj
|
| Unity UPM | packages-lock.json (Aikido only scans and imports UPM packages fetched from NPM) |