Cortex Cloud Application Security SCA scanners inspect and manage the security and compliance of your application's open-source and third-party dependencies. Securing the supply chain requires aggregating data from all available detection sources. Therefore, SCA in Cortex Cloud relies on both native scanning engines and the direct ingestion of findings from third-party SCA tools such as Snyk or Semgrep. They are part of the Cortex Cloud shift-left security strategy, enabling organizations to proactively identify and mitigate risks associated with external code components early in the development lifecycle.
Important
Utilizing native SCA scanner capabilities requires an AppSec add-on license (Posture Management, Runtime, or Premium Cortex).
Currently, native support for SCA is limited to static analysis, meaning that only direct dependencies are scanned. However, if lock files are present, support is extended to include the analysis of transitive dependencies as well. Ingesting third-party data extends this coverage by centralizing your existing external security data into the same platform.
SCA use cases
SCA provides a comprehensive approach to securing your software supply chain by enabling you to achieve these objectives:
Gain comprehensive visibility into Software Composition: By combining native scans with ingested third-party data, SCA tools build a complete inventory of all open-source packages and their dependencies, providing critical insight into your software's entire composition. This unified view helps you understand and manage your overall software supply chain. Refer to Software packages as assets for more information
Improve application code security and prioritizing remediation: SCA scans identify critical vulnerabilities and prioritize remediation efforts based on a data-driven risk assessment that combines code-level vulnerabilities and potential business impact. Normalizing ingested third-party findings alongside native results ensures unified risk prioritization across all detection sources
Enable informed decisions about external code: By providing detailed insights into vulnerabilities and licenses from both native and ingested source, SCA empowers development and security teams to make informed decisions about the use, update, or replacement of external code components
SCA achieves these objectives by performing the following core functions:
Identify known vulnerabilities (CVEs): Automatically detect and flag known security vulnerabilities (tracked as Common Vulnerabilities and Exposures or CVEs) present in your open-source and third-party dependencies. This provides crucial insights into potential weaknesses that could be exploited
Assess license compliance: Manage open-source license obligations and identify potential compliance risks introduced by your application's components. This helps you adhere to regulatory requirements and minimize legal and compliance exposure
Ingest and normalize third-party data: Aggregate vulnerability data from external SCA vendors. This enables Cortex Cloud to enrich these findings with context to generate issues, allowing you to manage all supply chain risks from a single location