[](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) ![x close icon to close mobile navigation](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/x-black.svg) [![Cortex Cloud logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/cortexcloud-logo-dark.svg)](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) ![magnifying glass search icon to open search field](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/search-black.svg) * [](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * Use Cases ![black arrow pointing left to go back to main navigation](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/arrow-right-black.svg) Use Cases Use Cases * [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) Real-time cloud security powered by unified data, AI and automation * [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown) Prevent risks at the source * [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown) Rapidly prioritize and remediate risks across any cloud * [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown) Stop cloud attacks before they become breaches * [Security Operations](https://www.paloaltonetworks.com/cortex?ts=markdown) Detect, investigate and respond to threats across enterprise and cloud * Solutions ![black arrow pointing left to go back to main navigation](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/arrow-right-black.svg) Solutions [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown) * [Application Security Posture Management (ASPM)](https://www.paloaltonetworks.com/cortex/cloud/application-security-posture-management?ts=markdown) * [Software Supply Chain Security](https://www.paloaltonetworks.com/cortex/cloud/software-supply-chain-security?ts=markdown) * [IaC Security](https://www.paloaltonetworks.com/cortex/cloud/infrastructure-as-code-security?ts=markdown) * [Software Composition Analysis](https://www.paloaltonetworks.com/cortex/cloud/software-composition-analysis?ts=markdown) * [Secrets Security](https://www.paloaltonetworks.com/cortex/cloud/secrets-security?ts=markdown) * [Open Partner Ecosystem](https://www.paloaltonetworks.com/cortex/cloud/appsec-partner-ecosystem?ts=markdown) [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown) * [Cloud Security Posture Management (CSPM)](https://www.paloaltonetworks.com/cortex/cloud/cloud-security-posture-management?ts=markdown) * [Cloud Infrastructure Entitlement Management (CIEM)](https://www.paloaltonetworks.com/cortex/cloud/cloud-infrastructure-entitlement-management?ts=markdown) * [Data Security Posture Management (DSPM)](https://www.paloaltonetworks.com/cortex/cloud/data-security-posture-management?ts=markdown) * [AI Security Posture Management (AI-SPM)](https://www.paloaltonetworks.com/cortex/cloud/ai-security-posture-management?ts=markdown) * [Vulnerability Management](https://www.paloaltonetworks.com/cortex/cloud/vulnerability-management?ts=markdown) * [Cloud Attack Surface Management (ASM)](https://www.paloaltonetworks.com/cortex/cloud/attack-surface-management?ts=markdown) [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown) * [Cloud Detection and Response (CDR)](https://www.paloaltonetworks.com/cortex/cloud-detection-and-response?ts=markdown) * [Container \& Kubernetes Security](https://www.paloaltonetworks.com/cortex/cloud/container-security?ts=markdown) * [Cloud Workload Protection (CWP)](https://www.paloaltonetworks.com/cortex/cloud/cloud-workload-protection?ts=markdown) * [API Security](https://www.paloaltonetworks.com/cortex/cloud/api-security?ts=markdown) * [Web Application Security](https://www.paloaltonetworks.com/cortex/cloud/web-application-security?ts=markdown) [Security Operations](https://www.paloaltonetworks.com/cortex/?ts=markdown) * [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown) * [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown) * [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown) * [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown) * [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown) [Industries](https://www.paloaltonetworks.com/industry?ts=markdown) * [Government](https://www.paloaltonetworks.com/cortex/cloud/government?ts=markdown) * [Product Tours](https://www.paloaltonetworks.com/cortex/cloud/product-tours?ts=markdown) * Resources ![black arrow pointing left to go back to main navigation](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/arrow-right-black.svg) Resources Learn * [Blog](https://www.paloaltonetworks.com/blog/cloud-security?ts=markdown) * [Cloud Research](https://www.paloaltonetworks.com/cortex/cloud/research?ts=markdown) * [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown) * [Live Community](https://live.paloaltonetworks.com/) * [Interactive Workshops](https://www.paloaltonetworks.com/cortex/cloud/interactive-workshops?ts=markdown) Product Information * [Technical Documentation](https://docs.paloaltonetworks.com/) * [Open Source Projects](https://www.paloaltonetworks.com/cortex/cloud/open-source-projects?ts=markdown) * [Support](https://support.paloaltonetworks.com/Support/Index) Resources * [Technology Partners](https://www.paloaltonetworks.com/partners/technology-partners?ts=markdown) * [Customer Success Stories](https://www.paloaltonetworks.com/customers?ts=markdown) * [Resource Center](https://www.paloaltonetworks.com/resources?ts=markdown) * [Events](https://events.paloaltonetworks.com) * * [Request a Demo](https://www.paloaltonetworks.com/cortex/cloud/demo?ts=markdown) ![palo alto networks logo icon](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/logo-default.svg) ![white arrow icon pointing left to return to main Palo Alto Networks site](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/arrow-right-white.svg) [](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) Search Close search modal *** ** * ** *** # Software Composition Analysis Proactively address open source vulnerabilities and license compliance issues with developer integrations and context-aware prioritization. [Request a demo](https://www.paloaltonetworks.com/cortex/cloud/trial?ts=markdown) ![Host Security Hero Front Image](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/cortexcloud/sca/sca-hero-front.png) ![](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/x-white.svg) ![Host Security Hero Front Image](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/cortexcloud/sca/sca-hero-front.png) ON DEMAND ![virtual event](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/cortexcloud/aspm/cortex-cloud_L2-appsec_ASPM-launch_event-announcement_web-recommended-tile_180x180.jpg) AppSec's New Horizon What's next in application security. Only on Cortex Cloud. --- [Watch now](https://start.paloaltonetworks.com/appsecs-new-horizon-virtual-event.html) WHY IT MATTERSOUR APPROACHCAPABILITIES * [WHY IT MATTERS](#why) * [OUR APPROACH](#approach) * [CAPABILITIES](#modules) {#why} ## As vulnerabilities become more pervasive and elusive, organizations need a faster, easier and more seamless way to address open source risks. The blurring line between cloud-native infrastructure and application layers presents an opportunity to secure code at the source, embedded in DevOps tools. By taking a connected approach to open source security and compliance, organizations can minimize false positives, prioritize findings and keep code secure faster. ### Cloud-native applications depend on open source Open source software is a huge component of cloud-native applications, giving developers a head start when building new features without reinventing the wheel. For all its benefits, however, third-party open source software poses security and compliance risks that need to be addressed as part of any cloud-native security program. ### Dependency sprawl breeds risk Open source software comprises many layers of package dependencies, making it challenging to know where and how pieces of OSS are being used across the application stack. What's more, vulnerabilities are oftentimes buried in transitive packages. Keeping track of those vulnerabilities and licenses requires a continuous and integrated approach. ### Siloed security tooling causes coverage gaps Without the full context of an application's infrastructure, it's hard to determine if an identified vulnerability is actually exposed within the application or if it presents a low risk. By connecting application and infrastructure security findings, vulnerabilities are surfaced in the context of the entire codebase, allowing for better prioritization and faster fixes. ## Cortex^®^ Cloud makes it easy for developers to eliminate open source risks without slowing down. By integrating into DevOps tools and across code, build, deploy and runtime, Cortex Cloud proactively scans for open source packages for vulnerabilities and license compliance issues. Cortex Cloud's data model that connects code-level infrastructure and application weaknesses, complete dependency extrapolation and granular version bump fixes set it apart from other SCA solutions. * Single view into connected infrastructure and app risks * Integrated into developer tools and workflows * Full lifecycle security for packages and container images * ![Icon Built on trusted sources](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/cortexcloud/icons/ico-access-control.svg) Built on trusted sources * ![Icon Developer-friendly integrations](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/cortexcloud/icons/NDR.svg) Developer-friendly integrations * ![Icon Limitless dependency tree scanning](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/cortexcloud/icons/cns-microsegmentation.svg) Limitless dependency tree scanning * ![Icon Version bump remediations](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/cortexcloud/icons/AutomateAdapt.svg) Version bump remediations * ![Icon License analysis and audit reporting](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/cortexcloud/icons/icon-oss-license-compliance-74x74.svg) License analysis and audit reporting * ![Icon Custom enforcement rules](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/cortexcloud/icons/InlineMachineLearning.svg) Custom enforcement rules {#approach} SOLUTION ## A Developer-First, Context-Aware Approach to Software Composition Analysis ### Highly accurate and context-aware Built on top of the most reputable vulnerability databases and connected to the industry's most robust infrastructure policy database, Cortex Cloud Software Composition Analysis (SCA) surfaces vulnerabilities with the context developers need to understand risk and implement fixes fast. Cortex Cloud provides the breadth and depth of open source coverage you need to stop the next big vulnerability in its tracks: * #### Scan across languages and package managers with unmatched accuracy Identify vulnerabilities in open source packages with support for all the most popular languages and more than 30 upstream data sources to minimize false positives. \* #### Leverage industry-leading sources for complete open source security confidence Cortex Cloud scans open source dependencies wherever they are and compares them against public databases like NVD and the Cortex Cloud Intelligence Stream to identify vulnerabilities and surface important fix information. \* #### Connect infrastructure and application risks Narrow in on vulnerabilities that are actually exposed within your codebase to combat false positives and prioritize remediations faster. \* #### Identify vulnerabilities at any dependency depth Cortex Cloud ingests package manager data to extrapolate dependency trees to the furthest layer to identify open source risk hidden from view. \* #### Visualize and catalog your software supply chain The Supply Chain Graph provides a consolidated inventory of your pipelines and code. With a visualization of all these connections as well the ability to generate a software bill of materials (SBOM), it's easier to keep track of application risk and understand your attack surface. [![Infrastructure-Aware](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/cortexcloud/sca/sca-highly-accurate-and-context-aware.png)](#prismastickyimagecomapproach1_prisma-custom-background_prismacustombackgrou_14379965_cleanParsys_software-composition-analysis_cloud_cortex_en_US_pan_content_) ### Fully integrated with flexible fixes Only developers have the full context for how and where open source libraries are used, so making feedback accessible to them is the best way to get vulnerabilities patched. Leveraging Cortex Cloud's native developer tool integrations and extensibility of our CLI tools, SCA is fully integrated into developer workflows so vulnerabilities are surfaced at the right place at the right time: * #### Integrate open source security into developer tools and workflows Give developers the confidence to integrate new packages into their codebases with real-time vulnerability feedback via IDEs and VCS pull/merge requests. \* #### Create and enforce custom policies throughout the lifecycle Integrate vulnerability management to scan repositories, registries, CI/CD pipelines and runtime environments and determine what software is blocked or permitted. \* #### Fix issues without introducing breaking changes Get the recommended smallest update to fix vulnerabilities in direct and transitive dependencies without the risk of breaking critical functions. Fix multiple issues at once with the flexibility of selecting granular versions per package. \* #### Build out a software bill of materials Cortex Cloud will locate dependencies in repositories and build a software bill of materials (SBOM) and infrastructure bill of materials (IBOM), and export in the standard formats. [![Fully integrated with flexible fixes](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/cortexcloud/sca/GHSCA.png)](#prismastickyimagecomapproach2_prisma-custom-background_prismacustombackgrou_14379965_cleanParsys_software-composition-analysis_cloud_cortex_en_US_pan_content_) ### OSS license compliance Don't wait until a manual compliance review to find out that an open source library isn't compliant with your license usage requirements. Cortex Cloud catalogs open source licenses for dependencies and can alert or block deployments based on customizable license policies: * #### Avoid costly open source license violations Surface feedback early and block builds based on open source package license violations with support for all the popular languages and package managers. \* #### Leverage default policies based on standard industry use Out-of-the-box policies come with opinionated levels of severity for common license types and pattern matching for nonstandard license type language to simplify determining acceptable use. \* #### Create customized policies to enforce internal compliance requirements Set rules based on license type to match internal requirements for copyleft and permissive licenses. By blocking policy violations early via DevOps tools integrations, organizations avoid the headache of dealing with license noncompliance down the line. [![OSS license compliance](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/cortexcloud/sca/OSS-License-Compliance-Checkov-Placeholder.png)](#prismastickyimagecomapproach4_prisma-custom-background_prismacustombackgrou_14379965_cleanParsys_software-composition-analysis_cloud_cortex_en_US_pan_content_) {#modules} ## Additional Application Security capabilities ### INFRASTRUCTURE AS CODE SECURITY Automated IaC security embedded in developer workflows [Learn more](https://www.paloaltonetworks.com/cortex/cloud/infrastructure-as-code-security?ts=markdown) ### APPLICATION SECURITY POSTURE MANAGEMENT Block risks from reaching production and quickly remediate issues at the source. [Learn more](https://www.paloaltonetworks.com/cortex/cloud/application-security-posture-management?ts=markdown) ### SOFTWARE SUPPLY CHAIN SECURITY Harden your CI/CD pipelines, reduce your attack surface and protect your application development environment. [Learn more](https://www.paloaltonetworks.com/cortex/cloud/software-supply-chain-security?ts=markdown) ### SECRETS SECURITY Full-stack, multidimensional secrets scanning across repos and pipelines. [Learn more](https://www.paloaltonetworks.com/cortex/cloud/secrets-security?ts=markdown) {#footer} ## Products and Services * [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown) * [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown) * [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown) * [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown) * [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown) * [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown) * [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown) * [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown) * [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown) * [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown) * [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown) * [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown) * [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown) * [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown) * [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown) * [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown) * [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown) * [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown) * [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown) * [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown) * [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown) * [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown) * [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown) * [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown) * [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown) * [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown) * [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown) * [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown) * [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown) * [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown) * [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown) * [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown) * [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown) * [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown) * [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown) * [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown) * [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown) * [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown) * [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown) * [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown) * [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown) * [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown) ## Company * [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown) * [Careers](https://jobs.paloaltonetworks.com/en/) * [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown) * [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown) * [Customers](https://www.paloaltonetworks.com/customers?ts=markdown) * [Investor Relations](https://investors.paloaltonetworks.com/) * [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown) * [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown) ## Popular Links * [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown) * [Communities](https://www.paloaltonetworks.com/communities?ts=markdown) * [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown) * [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown) * [Event Center](https://events.paloaltonetworks.com/) * [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center) * [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown) * [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown) * [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown) * [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown) * [Tech Docs](https://docs.paloaltonetworks.com/) * [Unit 42](https://unit42.paloaltonetworks.com/) * [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd) ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg) * [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown) * [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown) * [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) * [Documents](https://www.paloaltonetworks.com/legal?ts=markdown) Copyright © 2025 Palo Alto Networks. All Rights Reserved * [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks) * [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown) * [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/) * [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks) * [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks) * EN Select your language