Software Risk Manager 2026: Black Duck ASPM

Name: Software Risk Manager
Availability: OnlineOnly

Software Risk Manager (SRM) is Black Duck’s ASPM platform that correlates findings from 150+ security tools. Formerly Code Dx, it normalizes results across SAST, DAST, IAST, SCA, and manual pentesting into a single view where the same issue found by multiple scanners appears once, backed by multiple sources.

Software Risk Manager complete view of AppSec risks across tools and teams

Originally developed as Code Dx, the technology was acquired by Synopsys in 2021 and became part of Black Duck following Synopsys’ divestiture of its Software Integrity Group in 2024. Over 4,000 organizations use Black Duck products. Notable customers include Broad Institute, NASA, DHS, Trend Micro, Honeywell, and FINRA.

What is Software Risk Manager?

SRM solves a specific problem: you run multiple security scanners, and they produce overlapping, inconsistent results. SRM ingests all of it, normalizes the findings into a common taxonomy, correlates duplicates, and gives you one prioritized list.

150+ tool integrations

Ingests results from SAST, DAST, IAST, SCA, secrets, container, and infrastructure scanners. Native integration with Black Duck SCA and Coverity, plus 150+ third-party tools.

Finding correlation

A SQL injection found by Checkmarx and the same issue found by Fortify appears as one finding with two sources. Multiple sources increase confidence; fewer tickets reduce developer fatigue.

20+ compliance mappings

Maps findings to HIPAA, NIST, PCI DSS, OWASP Top 10, CWE/SANS Top 25, and more. Generates compliance evidence from existing scan data automatically.

Key features

Multi-tool aggregation

SRM integrates with 150+ security tools:

Category	Tools
SAST	Checkmarx, Fortify, Coverity, SonarQube, Veracode
DAST	Burp Suite, OWASP ZAP, Acunetix
SCA	Black Duck, Snyk, Dependency-Check
Secrets	GitLeaks, TruffleHog
Containers	Trivy, container analysis tools
Infrastructure	Network scanning, cloud security tools

Vulnerability correlation

The correlation engine matches findings across tools:

Tool A: SQL Injection in login.php:42
Tool B: SQL Injection in login.php:42
Tool C: Database Query Issue in login.php

SRM → Single finding with 3 supporting sources

More sources = higher confidence. This also eliminates duplicate Jira tickets — a problem that wastes developer time at organizations running multiple scanners.

Software Risk Manager prioritization cutting through noise to surface critical issues

Correlation vs. deduplication

Simple deduplication removes exact duplicates. SRM’s correlation goes further by matching findings that different tools describe differently. A “SQL Injection” from one tool and a “Database Query Issue” from another can be linked to the same root cause based on file, line, and vulnerability characteristics.

Risk-based prioritization

SRM prioritizes vulnerabilities based on multiple factors:

Factor	How it affects priority
Severity and exploitability	CVSS scores combined with known exploit availability
Business context	Asset criticality and data sensitivity of affected applications
Corroboration	More tools confirming the same issue means higher confidence
Remediation history	Past fix patterns inform expected resolution timelines

SBOM generation

Generate Software Bills of Materials in standard formats:

Format	Use case
CycloneDX	Security-focused SBOM with vulnerability data
SPDX	License compliance and component inventory
Custom	Organization-specific reporting formats

Policy-driven quality gates

Define security policies that block releases when criteria aren’t met. Policies can check for critical vulnerabilities, compliance gaps, or missing scan coverage before code ships.

Software Risk Manager policy management for standardizing AppSec workflows

Integrations

Software Risk Manager integration ecosystem with 150+ connected tools

CI/CD and DevOps

GitHub

GitLab

Bitbucket

Jenkins

Azure DevOps

Security tools

Checkmarx

Black Duck SCA

Coverity

Snyk

SonarQube

Burp Suite

Ticketing

Jira

ServiceNow

Getting started

Deploy SRM — Choose Kubernetes (Helm charts), Docker Compose, or on-premise installation. Air-gapped deployment is supported for restricted networks.

Connect your scanners — Import results from your existing SAST, DAST, SCA, and other security tools. SRM normalizes all findings into a common taxonomy.

Define policies — Set quality gates that block releases when security criteria aren’t met. Map findings to compliance standards for automated evidence generation.

Integrate with CI/CD — Push scan results from Jenkins, GitHub Actions, or GitLab CI. SRM correlates findings and creates deduplicated Jira tickets for developers.

Jenkins integration

pipeline {
  stages {
    stage('Security Scan') {
      steps {
        step([$class: 'CodeDxPublisher',
            url: 'https://srm.example.com/codedx',
            keyCredentialId: 'srm-api-key',
            projectId: '1',
            sourceAndBinaryFiles: 'scan-results/*.xml'
        ])
      }
    }
  }
}

When to use Software Risk Manager

SRM makes sense for organizations already in the Black Duck ecosystem (Coverity, Black Duck SCA) that want a unified view of findings across all their security tools. The correlation engine’s ability to match findings across different scanners is where it adds the most value — if you’re running 5+ scanning tools and getting duplicate tickets in Jira, SRM fixes that.

Best for

Organizations running multiple security scanners (especially Black Duck and Coverity) that need finding correlation, duplicate elimination, and compliance mapping across 20+ standards.

For organizations without existing Black Duck investments, ArmorCode offers broader integration (320+ tools) with AI correlation. For open-source aggregation, DefectDojo covers 200+ tools at no cost.

Note: Formerly Code Dx. Synopsys acquired Code Dx in 2021, then divested its security business to Black Duck in 2024.

Frequently Asked Questions

What is Software Risk Manager?

Software Risk Manager (SRM) is Black Duck’s ASPM platform that correlates vulnerability findings from 150+ security tools. Formerly Code Dx, it was acquired by Synopsys in 2021 and became part of Black Duck following the 2024 divestiture. It normalizes results across SAST, DAST, IAST, SCA, and manual pentesting.

How does SRM correlate findings?

SRM normalizes results from different scanners so the same issue found by multiple tools appears as one finding with multiple sources. For example, a SQL injection found by both Checkmarx and Fortify shows as a single finding backed by two sources, increasing confidence and reducing noise.

What compliance standards does SRM support?

SRM maps findings to 20+ compliance standards including HIPAA, NIST 800-53, PCI DSS, OWASP Top 10, CWE/SANS Top 25, and SOC 2. This mapping generates compliance evidence from existing security scan data.

Does SRM integrate with Black Duck SCA?

Yes. SRM has native integration with Black Duck SCA (formerly Black Duck Hub) and Coverity SAST. It also integrates with 150+ third-party tools from other vendors, so organizations aren’t locked into the Black Duck ecosystem.

How do I deploy Software Risk Manager?

SRM supports Kubernetes deployment via Helm charts (srm-k8s), Docker Compose for standalone installations, and traditional on-premise server deployment. It can run air-gapped for organizations with strict network isolation requirements.