Snyk Software Composition Analysis (SCA) ingestion - Administrator Guide - Cortex Cloud Posture Management - Cortex CLOUD

Cortex Cloud Application Security
Product
Cortex Cloud Posture Management
Cortex Cloud Application Security > Cortex CLOUD
Creation date
2025-01-22
Last date published
2026-05-31
Category
Administrator Guide

Abstract: How Cortex Cloud ingests, normalizes, and displays Software Composition Analysis (SCA) data from Snyk, including software package assets and CVE findings.

When the SCA scan type is enabled in the Snyk integration, Cortex Cloud ingests open-source dependency vulnerability data. For each Snyk target, the system fetches projects of the SCA type, retrieves associated findings, and produces both Software Package assets and Vulnerability findings. These raw findings are then enriched and, when they meet specific risk thresholds, elevated into actionable issues; the fundamental unit for remediation in Cortex Cloud.

Supported SCA ecosystems

The following Snyk project types are supported for SCA ingestion:

Snyk project type

Package manager

npm

NPM

yarn / yarn-workspace

Yarn

pip / poetry

PyPI

maven

Maven

gradle

Gradle

gomodules / golang / golangdep / govendor

Go Modules

rubygems

RubyGems

nuget / paket

NuGet

composer

Composer

cocoapods

CocoaPods

hex

Hex

Manage SCA issues generated from Snyk findings

You can view and manage SCA issues generated from ingested Snyk SCA findings to assess and manage vulnerabilities: Navigate to ModulesApplication SecurityVulnerabilities (under Issues).

For more information about SCA issues and findings, refer to Software Composition Analysis (SCA) vulnerability issues.Software Composition Analysis (SCA) vulnerability issues

View Snyk SCA findings in Cortex Cloud

  1. Sign in to the Cortex Cloud console.

  2. In the tenant, navigate to Posture Management Posture Management > Findings.

  3. Apply filters to locate Snyk SCA findings:

    • Data Source: SNYK

    • Detection Method: CAS_CVE_SCANNER

    • Report Identifier: ThirdParty_SNYK_SCA

    • Asset Type: <LANGUAGE>_PACKAGE (e.g., JAVASCRIPT_PACKAGE)

SCA FAQs

  • Does the Snyk integration generate SBOM reports? No. The Snyk integration creates software package assets and vulnerability findings, but does not generate formal SBOM documents (CycloneDX/SPDX). Formal SBOM reports are only generated by the native Cortex Cloud SCA scanner during periodic repository scans

  • Which vulnerability identifier is used when Snyk reports both a CVE and a SNYK ID? CVE identifiers are prioritized. When a Snyk issue contains both, the CVE is used as the primary vulnerability ID