Software Composition Analysis

Proactively address open source vulnerabilities and license compliance issues with developer integrations and context-aware prioritization.
Host Security Hero Front Image
Host Security Hero Back Image

As vulnerabilities become more pervasive and elusive, organizations need a faster, easier and more seamless way to address open source risks. The blurring line between cloud-native infrastructure and application layers presents an opportunity to secure code at the source, embedded in DevOps tools. By taking a connected approach to open source security and compliance, organizations can minimize false positives, prioritize findings and keep code secure faster.

Read about Unit 42’s research on vulnerabilities in open source code.

Prisma Cloud makes it easy for developers to eliminate open source risks without slowing down.

By integrating into DevOps tools and across code, build, deploy and runtime, Prisma Cloud proactively scans for open source packages for vulnerabilities and license compliance issues. Prisma Cloud’s data model that connects code-level infrastructure and application weaknesses, complete dependency extrapolation and granular version bump fixes set it apart from other SCA solutions.
  • Single view into connected infrastructure and app risks
  • Integrated into developer tools and workflows
  • Full lifecycle security for packages and container images
  • Built on trusted sources
    Built on trusted sources
  • Developer-friendly integrations
    Developer-friendly integrations
  • Limitless dependency tree scanning
    Limitless dependency tree scanning
  • Version bump remediations
    Version bump remediations
  • License analysis and audit reporting
    License analysis and audit reporting
  • Custom enforcement rules
    Custom enforcement rules


A Developer-First, Context-Aware Approach to Software Composition Analysis

Highly accurate and context-aware

Built on top of the most reputable vulnerability databases and connected to the industry’s most robust infrastructure policy database, Prisma Cloud Software Composition Analysis (SCA) surfaces vulnerabilities with the context developers need to understand risk and implement fixes fast. Prisma Cloud provides the breadth and depth of open source coverage you need to stop the next big vulnerability in its tracks:

  • Scan across languages and package managers with unmatched accuracy

    Identify vulnerabilities in open source packages with support for all the most popular languages and more than 30 upstream data sources to minimize false positives.

  • Leverage industry-leading sources for complete open source security confidence

    Prisma Cloud scans open source dependencies wherever they are and compares them against public databases like NVD and the Prisma Cloud Intelligence Stream to identify vulnerabilities and surface important fix information.

  • Connect infrastructure and application risks

    Narrow in on vulnerabilities that are actually exposed within your codebase to combat false positives and prioritize remediations faster.

  • Identify vulnerabilities at any dependency depth

    Prisma Cloud ingests package manager data to extrapolate dependency trees to the furthest layer to identify open source risk hidden from view.

  • Visualize and catalog your software supply chain

    The Supply Chain Graph provides a consolidated inventory of your pipelines and code. With a visualization of all these connections as well the ability to generate a software bill of materials (SBOM), it’s easier to keep track of application risk and understand your attack surface.


Fully integrated with flexible fixes

Only developers have the full context for how and where open source libraries are used, so making feedback accessible to them is the best way to get vulnerabilities patched. Leveraging Prisma Cloud’s native developer tool integrations and extensibility of our CLI tools, SCA is fully integrated into developer workflows so vulnerabilities are surfaced at the right place at the right time:

  • Integrate open source security into developer tools and workflows

    Give developers the confidence to integrate new packages into their codebases with real-time vulnerability feedback via IDEs and VCS pull/merge requests.

  • Create and enforce custom policies throughout the lifecycle

    Integrate vulnerability management to scan repositories, registries, CI/CD pipelines and runtime environments and determine what software is blocked or permitted.

  • Fix issues without introducing breaking changes

    Get the recommended smallest update to fix vulnerabilities in direct and transitive dependencies without the risk of breaking critical functions. Fix multiple issues at once with the flexibility of selecting granular versions per package.

  • Build out a software bill of materials

    Prisma Cloud will locate dependencies in repositories and build a software bill of materials (SBOM) and infrastructure bill of materials (IBOM), and export in the standard formats.

Fully integrated with flexible fixes

Part of the CNAPP

The only way to ensure complete coverage when securing cloud-native applications is to scan for vulnerabilities at each layer and step of the development lifecycle. SCA is just one component of Prisma Cloud’s Cloud-Native Application Protection Platform that identifies risk from code to cloud.

  • Identify risks in code as developers are building and testing software

    Check open source packages and images for vulnerabilities and compliance issues across repositories like GitHub and registries such as Docker, Quay, Artifactory and others.

  • Lock down deployments to vetted images

    Leverage Prisma Cloud image scanning and container sandbox analysis to identify and block malicious images and only allow safe images to reach production.

  • Prevent activity across any runtime environment

    Manage runtime policies all from a centralized console to ensure security is always present as part of every deployment. Mapping of incidents to the MITRE ATT&CK framework, along with detailed forensics and rich metadata, helps SOC teams track threats for ephemeral cloud-native workloads.

  • Context-aware runtime security

    Detect and prevent misconfigurations and vulnerabilities that lead to data breaches and compliance violations in runtime with complete cloud asset inventory, configuration assessments, automated remediations and more.

Part of the CNAPP

OSS license compliance

Don’t wait until a manual compliance review to find out that an open source library isn’t compliant with your license usage requirements. Prisma Cloud catalogs open source licenses for dependencies and can alert or block deployments based on customizable license policies:

  • Avoid costly open source license violations

    Surface feedback early and block builds based on open source package license violations with support for all the popular languages and package managers.

  • Leverage default policies based on standard industry use

    Out-of-the-box policies come with opinionated levels of severity for common license types and pattern matching for nonstandard license type language to simplify determining acceptable use.

  • Create customized policies to enforce internal compliance requirements

    Set rules based on license type to match internal requirements for copyleft and permissive licenses. By blocking policy violations early via DevOps tools integrations, organizations avoid the headache of dealing with license noncompliance down the line.

OSS license compliance

Code Security Modules


Automated IaC security embedded in developer workflows


Context-aware open source security and license compliance


Graph-based CI/CD security for application development environments


Full-stack, multidimensional secrets scanning across repos and pipelines.

Featured Resources

Get more insight into what Prisma Cloud can do for your business