Sushi Bytes
Sushi Bytes is an unapologetically AI-generated podcast brought to you by Shinobi, FossID’s vigilant Software Composition Analysis ninja. In each bite-sized episode, Shinobi breaks down the evolving world of software supply chain integrity – from open-source license compliance and vulnerability disclosure to SBOM standards, IP risks, and AI-generated code implications.
With a surge in regulatory scrutiny and AI adoption, the software stack is becoming harder to manage – and riskier to ignore. Sushi Bytes offers sharp, fast insights for engineering leaders, open-source program managers, and legal professionals navigating the intersection of compliance, code, and code generation.
Sushi Bytes
Agentic SCA is the Next Evolution in Software Supply Chain Integrity
Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.
AI didn’t just change how you build software, it broke your process for inspecting it for open source license compliance and security vulnerabilities.
In this episode of Sushi Bytes, Shinobi and Gen reconnect with Aaron Branson to unpack FossID’s newly announced Agentic SCA strategy – and why the timing couldn’t be better after our last conversation on SCA in the AI Era.
As code generation accelerates and the sheer volume of code explodes, software risk leaders are facing a new reality: more code, more complexity, and less time to react. Aaron breaks down how Agentic SCA shifts the process from passive scanning to active participation – embedding intelligence, automation, and policy enforcement directly into the development workflow.
If you’re dealing with AI-generated code, SBOM pressure, or stepping up compliance rigor without slowing developers down – this is the conversation you need right now.
Welcome back to Sushi Bytes, the podcast where we break down software risk into bite-sized insights you can actually use. Now, if you listened to our last episode, SCA in the AI era, you might remember we talked about how AI is completely reshaping how software gets built. Code generation is accelerating. Code volume is going through the roof, too. And naturally, software risk management pressure is scaling right alongside it. Well, funny enough, the timing couldn't be better. Because just after that episode dropped, Foss ID made a pretty big announcement. They're calling it agentic software composition analysis. And today we're diving into what that actually means. To help us unpack this, we've got a familiar voice back on the show, Aaron Branson, the Chief Growth Officer at Foss ID. Aaron joined us previously to talk about where SCA is heading in 2026. And now he's back to explain what might be one of the biggest steps in that direction. Aaron, welcome back.
SPEAKER_02Thanks, Shinobi. Yeah, glad to be back. And uh yeah, the uh the timing is kind of perfect, isn't it?
SPEAKER_01Alright, let's level set. In the last episode, we talked about how AI is increasing the volume of code, but also changing the nature of code. More fragments or snippets, more mixed licensing, more unknown provenance. So before we get into agentic SCA, what's broken about software composition analysis in that world?
SPEAKER_02Yeah, great question. Well, today there are two classes of SCA, software composition analysis. It's important to point that out. The first class assumes software is assembled from clearly defined components. You have complete packages, properly declared dependencies, versioning, everything right there for a scanner to read, compile, and tell you what software components you have, what licenses they use, and what known vulnerabilities they may have. But the second does all that, but it also accounts for unmanaged code, meaning dependencies that are not properly declared, embedded languages that don't even use a package manager, and even third-party code that doesn't exist in its entirety, meaning maybe it's been modified, portions of it have been copy-pasted in, or as of late, of course, maybe it's been generated by AI. At the end of the day, it's what we call a code snippet. No matter how large or how small that snippet may be. This class of SCA tool scans the actual code to find any third-party library that reuse of it may be lurking about. Now, that's where we are today with those two classes, and that's all well and good. In fact, that second class is the right foundation to start from, but it's not enough. But the difference now is volume and velocity. Code is simply cheaper to create, and it's getting generated faster. And the typical application is getting larger in terms of lines of code. That means more unmanaged code to scan by SCA tools that have snippet detection to maintain this visibility and compliance rigor. But it also means teams are moving faster and these scans are causing a bottleneck.
SPEAKER_01So, where does agenic SCA come in?
SPEAKER_02Agentic SCA is about leveraging AI agents to handle this code volume, velocity, and complexity without slowing down delivery. And it works in several stages of the software development lifecycle. The thing I'm most excited about is built-in compliance at the point of code creation. Yes, SCA should be run at code integration and full audits before code delivery, but what's been lacking is this same capability at code creation, really truly shifting left. You know, a Gentec SCA inspects the code as it is built. It gives guidance to developers in real time in their environment. It enforces policies on the code automatically, and it adapts to your compliance policies. So it prevents issues and serves kind of like as a pair programmer for software engineers who are not licensing copyright experts, nor should they be expected to be. And then the scan at the pull request is less likely to have issues. So you have faster, cleaner builds. And the pre-release audit really becomes just validation, not uncovering issues that need rework, just exporting the S-bomb.
SPEAKER_00So less inspection findings at the point of delivery and more expert guidance while you're building.
SPEAKER_02Exactly. But not just at delivery. That's pretty rare, but more importantly, I'd say in the CI pipeline, even.
SPEAKER_01And why now? What's really pushing this shift into motion now?
SPEAKER_02Because software development is moving at sh machine speed now, and the pressure is on to keep up. When AI is generating this much code this fast, you don't get the luxury of slowing down to run compliance checks manually anymore. And if these risk controls can't keep up, they're gonna get bypassed. So agentic SCA is really about matching that speed and those expectations, embedding compliance and security directly in the workflow, and also adding intelligence automatically to those later stage audits.
SPEAKER_01Makes sense. But let's get concrete. When FOSS ID says agentic SCA, what does that actually include?
SPEAKER_02At a high level, it's built around a few core ideas. Number one, agents instead of tools. AI agents armed with software composition analysis skills and hooks can take action. They can trigger scans, enforce policies, guide decisions without necessarily waiting for a human to initiate everything. Second, deep snippet intelligence, this um understanding the code at a granular level, not just package level dependencies. AI-generated code has made this much more relevant than ever. And like I said earlier, really shifting left. SCA operates in CI pipelines today, that's great, but now it can effectively live inside developer environments as code is created, not as a separate step. And then also there's turning compliance rules into enforceable automated logic for strong issue prevention. I'd call this policy as code is another way to put it. And then lastly, I haven't even unpacked this and we might not have time to do so, but it's not only about the built-in compliance from the start. This change also means faster intelligent audits when scanning an entire code base with remediation guidance in terms that anyone can understand.
SPEAKER_00Okay. So help me picture this. If I'm a software risk leader, what actually changes for me?
SPEAKER_02Great question, Jen. Uh, you'll definitely notice the difference. So, first you move from reactive to proactive. And what does that exactly mean? Well, it means is instead of finding out you have legal or security issues after the code is written, you're now avoiding them by arming your coding tools with the SCA know-how that they've been lacking. Put another way, instead of breaking a bill at code merge or chasing issues after the release, you're preventing them during development. And second, you get better alignment across your teams. Think about legal engineering and security that are working together to define and work from the same compliance rules and then having policy enforced automatically. And third, I would say you also get scalability because the system can handle increasing code volume and complexity that we're getting without requiring more manual oversight by overworked software compliance experts.
SPEAKER_01And we can't ignore regulation here. SBOM requirements, supply chain transparency, AI governance. How does Agentic SCA help there?
SPEAKER_02It makes compliance much more realistic, Shinobi. Instead of scrambling to generate reports after the fact, you're continuously building a compliance system. You know, S-bombs then become a byproduct of the process, not a last-minute separate deliverable, let alone one that has bad news in it, like copyright left licenses or unmanaged vulnerabilities that should have been handled sooner.
SPEAKER_00All right, I get it. I'm a little biased, but I have to ask, why can't an LLM do this job without SCA?
SPEAKER_02That's a fair question. So here's how we see it. LLMs, you know, they can't reliably process entire application code bases due to context window constraints. This leads to incomplete analysis and missed risk. SCA tools are scanning an application's half a million lines of code against a knowledge base over 200 million known open source projects. So there's just context limitations that hinder the LLM in this situation. And secondly, think about inefficient use for code identification. You know, identifying open source code licenses and vulnerabilities is not a language problem per se. Using LLM tokens and reasoning for exact matching is computationally expensive and inefficient compared to how SCA knowledge bases, matching algorithms, and scoring methods are designed for this task. Also, LLMs don't always produce the same answer given the same input, you may have noticed. This makes them unreliable for compliance data that requires consistent, auditable, and repeatable results. And the last thing I would say is you got to remember LLMs are trained on broad, unstructured data, and they don't rely on a continuously curated knowledge base of these components, licenses, and vulnerabilities, not to mention the training data lag time of what the LLM is even aware of when it comes to the latest Intel. Without that specialized curation, scan results can be incomplete, outdated, or flat out incorrect. Basically, think of it like it's a classic garbage in, garbage out problem for compliance and risk assessment. Now, but of course, there are so many things LLMs do so well, of course. And that's why this combination is exciting. Agentic SCA kind of gives us the best of both worlds. It combines LLM reasoning with high precision software composition analysis so that we get accurate, explainable, and reliable outcomes. It's also built for scale. You get SCA's high performance code identification that's meant to handle large code bases efficiently, while AI, the LLMs, focus on interpretation, guidance, and decision making. You also get audit-ready results with this combination. Agentic SCA delivers consistent, repeatable, evidence-based outputs that are required for compliance legal reviews, and especially these regulatory frameworks like GDPR that are uh coming into focus. And then lastly, real-time in-workflow compliance. And that's the thing I'm excited about is LLMs enable these AI agents to automatically analyze and act on risk as code is written, not after the fact. So basically, SCA and LLMs are a perfect team.
SPEAKER_00Okay, that makes sense. And that actually ties really nicely back to our last episode. We said SEA needs to evolve to match AI-driven development. And it sounds like agentic SEA is FOSS ID's answer to that.
SPEAKER_02Exactly. You know, that conversation was the diagnosis, and this is the treatment.
SPEAKER_01All right, let's wrap it up. If listeners take one thing away from this, what should it be?
SPEAKER_02Uh one thing, I'd say maybe I'd button it up as AI has changed everything, you know, speed, complexity, risk, everything. And it's up to solutions like FOSS ID to figure it out to help teams meet these expectations so they can safely move at the speed of AI.
SPEAKER_00The alternative seems to be to either slow down development or lose visibility and control.
SPEAKER_01Neither would be a fun choice to make. Well, Aaron, thanks again for joining us. Anytime. And to everyone listening, if you enjoyed this episode, make sure to subscribe, share it with your team, and stay tuned for more sushi bites. Until next time, stay sharp.
