Software Risk Manager (SRM) is Black Duck’s ASPM platform that correlates findings from 150+ security tools. Formerly Code Dx, it normalizes results across SAST, DAST, IAST, SCA, and manual pentesting into a single view where the same issue found by multiple scanners appears once, backed by multiple sources.
Originally developed as Code Dx, the technology was acquired by Synopsys in 2021 and became part of Black Duck following Synopsys’ divestiture of its Software Integrity Group in 2024. Over 4,000 organizations use Black Duck products.
Notable customers include Broad Institute, NASA, DHS, Trend Micro, Honeywell, and FINRA.
What is Software Risk Manager?
SRM solves a specific problem: you run multiple security scanners, and they produce overlapping, inconsistent results. SRM ingests all of it, normalizes the findings into a common taxonomy, correlates duplicates, and gives you one prioritized list.
What are Software Risk Manager’s key features?
Multi-tool aggregation
SRM integrates with 150+ security tools:
| Category | Tools |
|---|---|
| SAST | Checkmarx, Fortify, Coverity, SonarQube, Veracode |
| DAST | Burp Suite, OWASP ZAP, Acunetix |
| SCA | Black Duck, Snyk, Dependency-Check |
| Secrets | GitLeaks, TruffleHog |
| Containers | Trivy, container analysis tools |
| Infrastructure | Network scanning, cloud security tools |
Vulnerability correlation
The correlation engine matches findings across tools:
Tool A: SQL Injection in login.php:42
Tool B: SQL Injection in login.php:42
Tool C: Database Query Issue in login.php
SRM β Single finding with 3 supporting sources
More sources = higher confidence. This also eliminates duplicate Jira tickets β a problem that wastes developer time at organizations running multiple scanners.
Simple deduplication removes exact duplicates. SRM’s correlation goes further by matching findings that different tools describe differently.
A “SQL Injection” from one tool and a “Database Query Issue” from another can be linked to the same root cause based on file, line, and vulnerability characteristics.
Risk-based prioritization
SRM prioritizes vulnerabilities based on multiple factors:
| Factor | How it affects priority |
|---|---|
| Severity and exploitability | CVSS scores combined with known exploit availability |
| Business context | Asset criticality and data sensitivity of affected applications |
| Corroboration | More tools confirming the same issue means higher confidence |
| Remediation history | Past fix patterns inform expected resolution timelines |
SBOM generation
Generate Software Bills of Materials in standard formats:
| Format | Use case |
|---|---|
| CycloneDX | Security-focused SBOM with vulnerability data |
| SPDX | License compliance and component inventory |
| Custom | Organization-specific reporting formats |
Policy-driven quality gates
Define security policies that block releases when criteria aren’t met. Policies can check for critical vulnerabilities, compliance gaps, or missing scan coverage before code ships.
What does Software Risk Manager integrate with?
GitHub
GitLab
Bitbucket
Jenkins
Azure DevOps
Checkmarx
Black Duck SCA
Coverity
Snyk
SonarQube
Burp Suite
Jira
ServiceNowHow do I get started with Software Risk Manager?
Jenkins integration
pipeline {
stages {
stage('Security Scan') {
steps {
step([$class: 'CodeDxPublisher',
url: 'https://srm.example.com/codedx',
keyCredentialId: 'srm-api-key',
projectId: '1',
sourceAndBinaryFiles: 'scan-results/*.xml'
])
}
}
}
}
How much does Software Risk Manager cost?
Software Risk Manager does not publish list pricing on blackduck.com/software-risk-manager β every commercial tier sits behind a “contact sales” form, which is the standard pattern for Black Duck enterprise products. Plan on a custom annual contract sized by application count, scanner connections, and named user count.
The platform is sold as a single commercial enterprise SKU with three deployment options: SaaS (managed by Black Duck), on-premise (Kubernetes-ready), and air-gapped on-premise for regulated industries that cannot run security tooling outside their own environment. Standard enterprise tier features β SSO, role-based access control, audit trails, and 20+ compliance framework mappings (HIPAA, NIST, PCI DSS, OWASP Top 10, CWE/SANS Top 25) β are included rather than sold as add-ons. Verify tier shape with the vendor at evaluation; Black Duck lists no public dollar amounts.
Software Risk Manager vs alternatives
If Software Risk Manager does not fit your stack, four ASPM platforms cover overlapping ground.
- Checkmarx One β Direct head-to-head competitor. Checkmarx One bundles SAST, SCA, IaC, container, and ASPM correlation in one platform; SRM is correlation-only and depends on third-party scanners (or Black Duck’s own Coverity and SCA). Pick Checkmarx One if you want a unified scanner + ASPM stack from a single vendor.
- Veracode Risk Manager β Same product naming pattern, similar correlation positioning. Veracode leans into a SaaS-only delivery and tighter coupling with the Veracode scanner stack; SRM offers air-gapped on-premise that Veracode does not.
- ArmorCode β Better fit if you do not have existing Black Duck investments. ArmorCode integrates 320+ scanners with AI-powered prioritization and managed SaaS rather than SRM’s broader deployment options.
- ThreadFix replacement β ThreadFix’s SaaS platform was sunset by Coalfire in 2025; teams previously on ThreadFix typically evaluate SRM, ArmorCode, or DefectDojo as replacements. The SRM correlation engine is the closest functional equivalent for paid customers.
For a wider sweep, the ASPM hub lists every active platform alongside SRM.
Software Risk Manager FAQ
Is Software Risk Manager the same as Code Dx? Yes. The product was originally developed as Code Dx, acquired by Synopsys in 2021, and renamed to Software Risk Manager when Synopsys’ Software Integrity Group spun out into Black Duck following the 2024 divestiture. Same underlying correlation engine, new branding.
Is SRM ASPM or GRC? ASPM. Software Risk Manager is an Application Security Posture Management platform β it correlates findings from application security scanners. Generic “risk management software” tools like Riskonnect, SAI360, and MetricStream serve the GRC (governance, risk, compliance) market, which is unrelated.
Does SRM include native scanners? No β SRM is correlation-only. It depends on third-party scanners for findings, with native integrations to Black Duck’s own Coverity (SAST) and Black Duck SCA, plus 150+ third-party tools across SAST, DAST, IAST, SCA, secrets, and container categories.
How does SRM dedup compare to ThreadFix or DefectDojo? SRM correlates on file + line + vulnerability characteristics, so “SQL Injection” from one tool and “Database Query Issue” from another collapse into the same finding when they describe the same root cause. ThreadFix and DefectDojo do hash-based or CWE-based fingerprinting that catches exact-match duplicates but is weaker on cross-tool naming differences.
What air-gapped deployment options exist? SRM ships with a fully air-gapped on-premise mode for regulated industries (defense, government, financial services) that cannot run security tooling outside their own environment. The Kubernetes-deployable version supports the same isolation pattern.
When to use Software Risk Manager
SRM makes sense for organizations already in the Black Duck ecosystem (Coverity, Black Duck SCA) that want a unified view of findings across all their security tools. The correlation engine’s ability to match findings across different scanners is where it adds the most value β if you’re running 5+ scanning tools and getting duplicate tickets in Jira, SRM fixes that.
For organizations without existing Black Duck investments, ArmorCode offers broader integration (320+ tools) with AI correlation. For open-source aggregation, DefectDojo covers 200+ tools at no cost.
