The software package inventory provides the identity, dependency context, operational risk, and vulnerability telemetry needed to manage every third-party dependency as a governed asset, from discovery through remediation.
Cortex Cloud discovers and inventories every open-source and third-party software package declared in dependency manifest files across onboarded repositories. Each package detected through Software Composition Analysis (SCA) scanning appears in the unified asset inventory as a governed component of the software supply chain, carrying its identity metadata, version, license type, dependency classification, operational risk rating, and associated CVE vulnerabilities.
The software package asset enables security teams to answer three questions about every dependency: What third-party code does the codebase consume? What is the operational and license risk of each dependency? What known vulnerabilities does each dependency introduce?
Note
Scope: The software package asset represents an open-source or third-party dependency discovered through SCA scanning of onboarded repositories. The software package asset does not represent first-party application code, container image layers, or cloud runtime packages; those asset categories are managed under their respective asset classes.
Programmatic SBOM export: To support supply chain auditing and compliance workflows, the dependency data inventoried here can be programmatically exported as a machine-readable Software Bill of Materials (SBOM). For automation details, refer to APIs for SBOM management..
The software package asset is the foundational unit of supply chain governance in Cortex Cloud. The software package inventory provides the identity, dependency context, operational risk, and vulnerability telemetry needed to manage every third-party dependency as a governed asset, from discovery through remediation.
Dependency discovery and identity: Every open-source package declared in a dependency manifest file is automatically discovered and registered in the unified asset inventory with a unique asset identifier, package name, version, package manager, and programming language to serve as the persistent identity record
Supply chain visibility: The asset provides a complete view of the third-party code consumed by each repository, including direct and transitive dependencies, enabling teams to identify which direct dependency introduced a vulnerable leaf package
Operational risk assessment: Each asset carries a risk rating derived from maintenance activity, community popularity, and deprecation status to identify libraries that pose a risk independent of known CVEs
License compliance: The inventory surfaces license types to enable enforcement of organizational policies against strong copyleft or non-permissive licenses
Code to cloud lineage: The package asset participates in the relationship graph as a child of the repository, establishing traceability from the code declaration through to deployed cloud resources
The software package asset model facilitates a structured delegation between Governance and Operations:
AppSec managers (Governance): Review the inventory to identify systemic supply chain risks such as deprecated packages or license violations and define unified policies to enforce compliance standards
AppSec practitioners (Operations): Investigate package-level vulnerabilities, trace dependency chains to identify root causes, and upgrade or replace vulnerable packages to meet SLA requirements
Cortex Cloud models the following relationships between the software package asset and other asset categories::
Related asset category | Inherited metadata and description |
|---|---|
Repository (Parent) | The repository that declares the software package in a dependency manifest file, providing the inherited business criticality and application association |
Software package (Sibling) | Other software packages declared in the same repository that share the same repository context and tags |
CVE vulnerability issue (Downstream) | CVE vulnerabilities detected in the software package by the SCA scanner |
License issue (Downstream) | License compliance violations detected in the software package by the SCA scanner |
Operational risk issue (Downstream) | Operational risk findings such as deprecation or low maintenance detected in the software package |
Review the following limitations before investigating and managing software package assets:
Limitation | Description |
|---|---|
SCA scanner required | Software package assets are only created through SCA scanning. Repositories with the SCA scanner disabled do not generate software package assets in the asset inventory |
Dependency manifest scope | Software packages are discovered from dependency manifest files, so packages installed through non-standard mechanisms, vendored dependencies, or dynamically resolved dependencies may not be detected |
Transitive dependency depth | The depth of transitive dependency resolution depends on the package manager and the dependency manifest format |
Operational risk data freshness | Operational risk ratings are updated during periodic scans and may not reflect real-time changes in the package registry between scan cycles |
License detection accuracy | License types are extracted from package metadata in the registry, meaning packages with missing or ambiguous declarations may display incomplete information, and manual verification is recommended for compliance |
Third-party SCA data integration scope | Third-party SCA integrations contribute CVE vulnerability findings to software package assets but do not create the assets in the inventory, nor do they provide operational risk or license data |
Software packages assets inventory
To view and manage software package assets, you must have: at least one Version Control System (GitHub, GitLab, Bitbucket, Azure DevOps) integrated and active.
At least one Version Control System (GitHub, GitLab, Bitbucket, Azure DevOps) integrated and active.
The SCA scanner enabled for the target repositories.
At least one completed periodic scan or PR scan that includes SCA scanning results.
To access repository assets, go to Inventory, select → → .
The dashboard includes two widgets:
Package Managers: A breakdown showing the package managers (such as npm and pip) in your environment, and the number of software packages found in each package manager
Dependency Types: A breakdown showing the amount of direct and transitive (indirect) software packages
Selecting an item in either widget filters the software package asset inventory accordingly.
The following table describes the default exposed properties of the software packages asset table. Select the column picker to view additional properties.
Property | Description |
|---|---|
Name | The name of the software package serving as the primary identifier |
Version | The version of the software package |
Licenses | The license types associated with the package displayed as a comma-separated list |
Dependency Type | Whether the package is a Direct or Transitive dependency |
Provider | The VCS provider hosting the parent repository |
File Path | The path to the dependency manifest file containing the package declaration, including the affected line range |
First Seen | The timestamp when the software package was first discovered in the asset inventory |
The Software Packages page displays a table of all dependencies. Use the search bar to find packages by name, or apply filters to narrow results based on operational and security metadata.
To effectively reduce the organization supply chain risk surface, apply the following filter combinations to prioritize remediation efforts:
Target critical business applications with high severity vulnerabilities: Filter packages associated with your most sensitive workloads by using the Business Application Names filter to select the specific business applications you know are critical, and then reviewing the affected packages for high-severity issues
Identify deprecated packages: Filter by Operational Riskindicators to surface deprecated packages that represent a structural supply chain risk regardless of current CVE status and should be replaced
Find restrictive licenses: Use the Licenses column filter to identify packages with strong copyleft licenses or non-permissive licenses that may violate organizational compliance policies
Isolate transitive risk: Filter by Dependency Type = Transitive to identify indirect dependencies that introduce risk without direct developer control
Right-click on a row in the inventory table to take the following actions:
Open in new tab: Opens the description tab of the asset for detailed analysis of the issue
View asset data: Opens a new pop-up window displaying the data retrieved for the asset during the most recent scan in either JSON (default) or tree view. This raw data provides a comprehensive and unformatted view of the asset's properties and attributes as they were initially ingested
Copy text to clipboard: Copies the selected text to the clipboard
Copy entire row: Copies the entire selected row data
Show/hide rows: Stand on data in a row and filter the entire inventory to show or hide assets based on the selected attribute
Open in Cortex Assistant/Open in Cortex Agentic Assistant: Opens the repository in Cortex Assistant or Cortex Agentic Assistant.
Click the download icon (showing Export to file when hovering over the icon) in the top right of any asset page to export the asset data.
Software packages asset details
Select a software package row in the table to open its side panel.
From the Software Packages table, right-click a software package > Open in Agentic Assistant > select Application Security from the agents menu, and query package-specific insights (for example, vulnerability summaries, risk posture, or remediation guidance). This action is also available from the software package side panel.
Additionally, you can click Ask AI in the side panel to access the Agentic agent.
Navigate through the following tabs in the side panel to review the package context and trace its impact across the supply chain:
Overview tab: Displays a high-level summary of the package details alongside the severity breakdown of CVE vulnerabilities associated with the software dependency
Applications tab: Displays the business applications associated with the software package, inherited from the parent repository, including business criticality ratings and risk scores
Code tab: Displays the dependency tree visualization showing the dependency chain from root direct dependencies to the selected package, and highlights the package declaration in the manifest file
Code to Cloud tab: Displays the relationship graph visualizing the full lineage from the software package through the parent repository to deployed cloud workloads. For more information on Code to Cloud, refer to Code to Cloud.
Use the Code to Cloud graph to assess the blast radius of a package vulnerability by tracing which CI/CD pipelines build artifacts from the parent repository and which production container images consume the affected dependency
To investigate security findings for a software package, you can click on issues or cases directly from the Overview tab. This navigates you away from the asset inventory to the main Cases or Issues pages filtered specifically by this package.
Alternatively, the side panel organizes issues into dedicated tabs so you can investigate and remediate without navigating away. Selecting a finding in these dedicated tabs opens an issue side panel to view detailed information, including the attack vector, impact description, and fix version recommendation.
Tab Name | Description |
|---|---|
Vulnerabilities | Displays CVE vulnerabilities detected in the software package by the SCA scanner, including the CVSS score, severity, and fix version recommendation. Refer to Software Composition Analysis (SCA) vulnerability issues for more information |
Package Integrity | Displays operational risk indicators like deprecation status and low maintenance activity, alongside license compliance violations. Refer to Package integrity issues for more information |
After reviewing the package health, you can perform the following operations from the Actions menu in the side panel or directly from the inventory tableL
Open in Provider: From the Overview tab in the side panel, click the value under Repository to open the repository in the Repositories table which includes the software package for further investigation, such as assessing the business impact of the affected codebase
Open in GitHub: From the menu in the side panel, click the value under Repository to open the parent repository directly in GitHub to view the source code and manifest file where the dependency is declared
View asset data: Right-click on a row in the table and select View asset data to display package data in JSON or Tree View formats to assist with custom integrations or XQL queries