* [Blog](https://www.paloaltonetworks.com/blog)
* [Cloud Security](https://www.paloaltonetworks.com/blog/cloud-security/)
* [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/)
* Prisma Cloud Announces So...

# Prisma Cloud Announces Software Composition Analysis (SCA) To Help Organizations Proactively Address Open Source Risk

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fprisma-cloud-announces-software-composition-analysis%2F)  
[](https://twitter.com/share?text=Prisma+Cloud+Announces+Software+Composition+Analysis+%28SCA%29+To+Help+Organizations+Proactively+Address+Open+Source+Risk&url=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fprisma-cloud-announces-software-composition-analysis%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fprisma-cloud-announces-software-composition-analysis%2F&title=Prisma+Cloud+Announces+Software+Composition+Analysis+%28SCA%29+To+Help+Organizations+Proactively+Address+Open+Source+Risk&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www.paloaltonetworks.com/blog/cloud-security/prisma-cloud-announces-software-composition-analysis/&ts=markdown)  
\[\](mailto:?subject=Prisma Cloud Announces Software Composition Analysis (SCA) To Help Organizations Proactively Address Open Source Risk)  
Link copied  
By [Guy Eisenkot](https://www.paloaltonetworks.com/blog/author/guy-eisenkot/?ts=markdown "Posts by Guy Eisenkot")  
Sep 20, 2022  
6 minutes  
[Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown)  
[DevSecOps](https://www.paloaltonetworks.com/blog/cloud-security/category/devsecops/?ts=markdown)  
[Application Security Testing](https://www.paloaltonetworks.com/blog/tag/application-security-testing/?ts=markdown)  
[AppSec](https://www.paloaltonetworks.com/blog/tag/appsec/?ts=markdown)  
[Software Composition Analysis](https://www.paloaltonetworks.com/blog/tag/software-composition-analysis/?ts=markdown)

Modern applications are more interconnected than ever with the delineations between each cloud-native code component -- [infrastructure as code (IaC)](https://www.paloaltonetworks.com/cyberpedia/what-is-iac?ts=markdown), Kubernetes manifests, open source packages and container images. But the way most organizations approach cloud-native security is still siloed. Stitching point solutions together requires extensive resources and inevitably leaves coverage gaps.

[Gartner estimates](https://www.gartner.com/en/conferences/apac/security-risk-management-australia/featured-topics/cloud-security) that "by 2025, 70% of organizations will consolidate the number of vendors securing the life cycle of cloud-native applications to a maximum of three vendors." And code security solutions combined with posture management and runtime security are necessary for that consolidation to occur.

To help teams get code security that is as interconnected as the applications they need to protect, Prisma Cloud has added [Software Composition Analysis (SCA)](https://www.prismacloud.io/prisma/cloud/software-composition-analysis) to its [Cloud-Native Application Protection Platform (CNAPP)](https://www.paloaltonetworks.com/cyberpedia/what-is-a-cloud-native-application-protection-platform?ts=markdown). This addition builds on our foundational industry-leading IaC security capabilities, creating the first context-aware SCA solution that is able to bring the context of the infrastructure into securing the application.

## The Need for Open Source Security Is Greater Than Ever

For modern development teams, open source software (OSS) is essential to building applications modularly and shipping features fast. But with a 10% year-over-year increase of open source vulnerabilities reported [as found by Forrester](https://www.forrester.com/report/the-state-of-application-security-2022/res177413?objectid=res177413), it's also the first place attackers start when they're looking for a way in. The constant threat of vulnerabilities and persistence of OSS, coupled with the rising complexity of cloud-native applications, has made this a challenging problem to solve.

Last year we witnessed our customers scramble to determine if and how they were affected by [Log4Shell](https://unit42.paloaltonetworks.com/apache-log4j-vulnerability-cve-2021-44228/), both across their stacks and at different phases of the development cycle. Unfortunately, because modern applications are so complex and open source software is so dependency-driven, this was much harder than it should have been. And it remains a problem to this day, with an estimated [30%](https://techcrunch.com/2022/03/18/study-30-of-log4shell-instances-remain-vulnerable/) of vulnerable Apache Log4j instances in the wild left unpatched.

## Existing Approaches to Eliminate Open Source Risk Fall Short

Open source risk is by no means a new challenge, but many SCA solutions still aren't equipped to handle the interconnectedness and complexity of cloud-native applications. Many traditional solutions surface vulnerabilities and license compliance issues too late, resulting in resource-intensive remediation processes that can leave vulnerabilities exposed for too long.

Newer developer-friendly software composition analysis tools focus on shifting that process earlier in the application lifecycle. But with disparate application and infrastructure security point tools, it's challenging to accurately prioritize risk based on the context of the broader cloud-native environment. And even if teams are able to sift through security findings and prioritize issues, they may still have an incomplete view of their open source risks because most SCA solutions lack the depth of scanning to completely uncover all open source risks at even the deepest dependency layer.
![software composition analysis](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/09/word-image-4.jpeg)
Image: Security challenges inherent to point tool sprawl.

## Prisma Cloud Software Composition Analysis

Prisma Cloud Software Composition Analysis leverages proprietary threat research and the most trusted vulnerability databases, supports the popular open source package managers and languages and provides granular version bump fixes to enable developers to implement changes safely. This depth of coverage, paired with Prisma Cloud's existing breadth of developer and DevOps integrations, makes our SCA solution one of the most accurate and comprehensive on the market.

### Infrastructure-Aware Approach

By bringing the worlds of IaC and open source security together in a [Code-to-Cloud CNAPP](https://www.paloaltonetworks.com/blog/2022/09/code-to-cloud-cnapp/?ts=markdown), Prisma Cloud not only helps organizations consolidate solutions but also uniquely provides the context of vulnerabilities within the broader cloud-native environment. This connection allows organizations to identify vulnerabilities embedded in container dependencies and helps them prioritize and address vulnerabilities faster.
![Vulnerabilities within the cloud-native environment](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/09/word-image-30.png)
Image: Gaining context for vulnerabilities within the cloud-native environment

In addition to SCA, [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud/ci-cd-security#sbom?ts=markdown) now also supports consolidated [software bill of materials (SBOM)](https://www.paloaltonetworks.com/cyberpedia/what-is-software-bill-materials-sbom?ts=markdown) generation, which includes both IaC resources and open source packages, along with their associated misconfigurations, vulnerabilities and licenses.

### Developer-First Integrations

Prisma Cloud Software Composition Analysis leverages existing integrations and experience to surface feedback as early as possible, providing vital intel to developers directly within the tools and workflows they depend on.

By leveraging [Checkov](https://www.checkov.io/), Prisma Cloud's open source CLI tool, or integrated development environment (IDE) plugins, developers get notified of vulnerabilities as they bring OSS into their codebase. Additionally, as open source code makes its way into the build phase, Prisma Cloud surfaces feedback in version control systems (VCS) in the form of pull/merge request guardrails and comments, as well as build steps within [CI/CD pipelines](https://www.paloaltonetworks.com/cyberpedia/what-is-the-ci-cd-pipeline-and-ci-cd-security?ts=markdown).
![Version control systems (VCS)](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/09/word-image-31.png)
Image: Feedback in version control systems (VCS)

### Limitless Dependency Scanning

OSS is incredibly dependency-driven and each package version may change critical functionality, so without complete visibility or guidance throughout dependency trees, vulnerabilities go undetected or unfixed. By fully extrapolating dependency trees and providing granular version bump fix suggestions at all layers, Prisma Cloud provides deep open source coverage.
![Supply chain graph](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/09/word-image-32.png)
Image: Open source coverage accounting for dependencies and providing granular version bump fix suggestions.

### Code-to-Cloud CNAPP

The only way to ensure complete coverage when securing cloud-native applications is to scan for vulnerabilities at each step of the development lifecycle. SCA is just one component of the Prisma Cloud CNAPP solution, which secures applications and infrastructure from code to cloud. With Prisma Cloud, the same intelligence stream used to identify vulnerabilities in repositories continuously identifies vulnerabilities in registries and at runtime, providing consistent and accurate visibility into the vulnerabilities in your environment.

While Prisma Cloud provides actionable guidance directly to developers to improve remediation rates, unpatched and zero-day vulnerabilities are inevitable. To address this challenge and provide complete coverage, Prisma Cloud includes web application and API security (WAAS) and agents, both of which identify and protect applications from exploit attempts. By leveraging these integrated capabilities, Prisma Cloud customers can track and secure vulnerabilities from code to cloud.
![SCA Integration profile within CNAPP](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/09/word-image-33.png)
Image: Integrating web application and API security and agents to track and secure vulnerabilities from code to cloud.

## Conclusion

With its proactive and integrated approach to addressing open source vulnerabilities and license compliance issues, [Prisma Cloud SCA](https://www.prismacloud.io/prisma/cloud/software-composition-analysis) gives developers the actionable insight they need to leverage only secure and compliant packages and gives security teams the guardrails they need to consistently enforce policies.

To learn more about Prisma Cloud's approach to SCA and see it in action, [register for our upcoming Meet the Experts live session](https://register.paloaltonetworks.com/prismacloudproductdeepdivesca).

*** ** * ** ***

## Related Blogs

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [DevSecOps](https://www.paloaltonetworks.com/blog/cloud-security/category/devsecops/?ts=markdown)

[#### Securing Golden Images at Build Using Prisma Cloud](https://www.paloaltonetworks.com/blog/cloud-security/securing-golden-images-hashicorp-packer/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Cloud Native Application Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-native-application-platform/?ts=markdown), [Cloud Security](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-security/?ts=markdown), [DevOps](https://www.paloaltonetworks.com/blog/cloud-security/category/devops/?ts=markdown), [DevSecOps](https://www.paloaltonetworks.com/blog/cloud-security/category/devsecops/?ts=markdown), [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown)

[#### Cloud-Native Security Survey: Patterns and Tipping Points in New Report](https://www.paloaltonetworks.com/blog/2023/03/cloud-native-security-survey-report/)

### [DevSecOps](https://www.paloaltonetworks.com/blog/cloud-security/category/devsecops/?ts=markdown), [Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown)

[#### Infrastructure as Code Security and AppSec: Streamlined DevSecOps From App to Infra](https://www.paloaltonetworks.com/blog/cloud-security/infrastructure-as-code-security-and-appsec-streamlined-devsecops/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Cloud Workload Protection Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/?ts=markdown), [DevSecOps](https://www.paloaltonetworks.com/blog/cloud-security/category/devsecops/?ts=markdown)

[#### Prisma Cloud Analysis of CVE-2022-42889: Text4Shell Vulnerability](https://www.paloaltonetworks.com/blog/cloud-security/analysis_of_cve-2022-42889_text4shell_vulnerability/)

### [DevSecOps](https://www.paloaltonetworks.com/blog/cloud-security/category/devsecops/?ts=markdown), [Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown)

[#### Software Composition Analysis (SCA): How Does It Help Keep Cloud Applications Secure?](https://www.paloaltonetworks.com/blog/cloud-security/software-composition-analysis-sca-how-does-it-help-keep-cloud-applications-secure/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Code Security](https://www.paloaltonetworks.com/blog/cloud-security/category/code-security/?ts=markdown), [DevSecOps](https://www.paloaltonetworks.com/blog/cloud-security/category/devsecops/?ts=markdown), [Event](https://www.paloaltonetworks.com/blog/category/event/?ts=markdown)

[#### Join Prisma Cloud at KubeCon NA October 24-28 in Detroit](https://www.paloaltonetworks.com/blog/cloud-security/kubecon-na-2022/)

### Subscribe to Cloud Security Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language