Prerequisites
Before viewing and managing software package assets, verify the following:
Prerequisite | Description |
|---|---|
License | An active Cortex Cloud license with Application Security entitlements |
RBAC role | The AppSec Admin or SOC Analyst role, or an equivalent custom role with asset inventory and issue management permissions |
VCS integration | At least one Version Control System (GitHub, GitLab, Bitbucket, Azure DevOps) integrated and active |
SCA scanner | The SCA scanner enabled for the target repositories |
Completed scan | At least one completed periodic scan or PR scan that includes SCA scanning results |
How to access software package assets
To access software package assets, under Inventory, select → → .
The Software Packages assets page includes a dashboard and an inventory.
Software package dashboard
The dashboard includes two widgets:
Package Managers: A breakdown showing the package managers (such as npm and pip) in your environment, and the number of software packages found in each package manager
Dependency Types: A breakdown showing the amount of direct and transitive (indirect) software packages
Selecting an item in either widget filters the software package asset inventory accordingly.
Software package asset inventory
The following table describes the default exposed properties of the Software package asset table. Select the column picker to view additional hidden properties.
Property | Description |
|---|---|
Name | The name of the software package serving as the primary identifier |
Version | The version of the software package |
Licenses | The license types associated with the package displayed as a comma-separated list |
Dependency Type | Whether the package is a Direct or Transitive dependency |
Provider | The VCS provider hosting the parent repository |
File Path | The path to the dependency manifest file containing the package declaration, including the affected line range |
First Seen | The timestamp when the software package was first discovered in the asset inventory |
Filter and prioritize software packages
The Software Packages page displays a table of all dependencies. Use the search bar to find packages by name, or apply filters to narrow results based on operational and security metadata.
High-priority filtering workflows
To effectively reduce the organization supply chain risk surface, apply the following filter combinations to prioritize remediation efforts:
Target critical business applications with high severity vulnerabilities: Filter packages associated with your most sensitive workloads by using the Business Application Names filter to select the specific business applications you know are critical, and then reviewing the affected packages for high-severity issues
Identify deprecated packages: Filter by Operational Riskindicators to surface deprecated packages that represent a structural supply chain risk regardless of current CVE status and should be replaced
Find restrictive licenses: Use the Licenses column filter to identify packages with strong copyleft licenses or non-permissive licenses that may violate organizational compliance policies
Isolate transitive risk: Filter by Dependency Type = Transitive to identify indirect dependencies that introduce risk without direct developer control