Software Composition Analysis

Proactively address open source vulnerabilities and license compliance issues with developer integrations and context-aware prioritization.
Host Security Hero Front Image

As vulnerabilities become more pervasive and elusive, organizations need a faster, easier and more seamless way to address open source risks. The blurring line between cloud-native infrastructure and application layers presents an opportunity to secure code at the source, embedded in DevOps tools. By taking a connected approach to open source security and compliance, organizations can minimize false positives, prioritize findings and keep code secure faster.

Cortex® Cloud makes it easy for developers to eliminate open source risks without slowing down.

By integrating into DevOps tools and across code, build, deploy and runtime, Cortex Cloud proactively scans for open source packages for vulnerabilities and license compliance issues. Cortex Cloud’s data model that connects code-level infrastructure and application weaknesses, complete dependency extrapolation and granular version bump fixes set it apart from other SCA solutions.
  • Single view into connected infrastructure and app risks
  • Integrated into developer tools and workflows
  • Full lifecycle security for packages and container images
  • Icon Built on trusted sources
    Built on trusted sources
  • Icon Developer-friendly integrations
    Developer-friendly integrations
  • Icon Limitless dependency tree scanning
    Limitless dependency tree scanning
  • Icon Version bump remediations
    Version bump remediations
  • Icon License analysis and audit reporting
    License analysis and audit reporting
  • Icon Custom enforcement rules
    Custom enforcement rules
SOLUTION

A Developer-First, Context-Aware Approach to Software Composition Analysis

Highly accurate and context-aware

Built on top of the most reputable vulnerability databases and connected to the industry’s most robust infrastructure policy database, Cortex Cloud Software Composition Analysis (SCA) surfaces vulnerabilities with the context developers need to understand risk and implement fixes fast. Cortex Cloud provides the breadth and depth of open source coverage you need to stop the next big vulnerability in its tracks:

  • Scan across languages and package managers with unmatched accuracy

    Identify vulnerabilities in open source packages with support for all the most popular languages and more than 30 upstream data sources to minimize false positives.

  • Leverage industry-leading sources for complete open source security confidence

    Cortex Cloud scans open source dependencies wherever they are and compares them against public databases like NVD and the Cortex Cloud Intelligence Stream to identify vulnerabilities and surface important fix information.

  • Connect infrastructure and application risks

    Narrow in on vulnerabilities that are actually exposed within your codebase to combat false positives and prioritize remediations faster.

  • Identify vulnerabilities at any dependency depth

    Cortex Cloud ingests package manager data to extrapolate dependency trees to the furthest layer to identify open source risk hidden from view.

  • Visualize and catalog your software supply chain

    The Supply Chain Graph provides a consolidated inventory of your pipelines and code. With a visualization of all these connections as well the ability to generate a software bill of materials (SBOM), it’s easier to keep track of application risk and understand your attack surface.

Infrastructure-Aware

Fully integrated with flexible fixes

Only developers have the full context for how and where open source libraries are used, so making feedback accessible to them is the best way to get vulnerabilities patched. Leveraging Cortex Cloud’s native developer tool integrations and extensibility of our CLI tools, SCA is fully integrated into developer workflows so vulnerabilities are surfaced at the right place at the right time:

  • Integrate open source security into developer tools and workflows

    Give developers the confidence to integrate new packages into their codebases with real-time vulnerability feedback via IDEs and VCS pull/merge requests.

  • Create and enforce custom policies throughout the lifecycle

    Integrate vulnerability management to scan repositories, registries, CI/CD pipelines and runtime environments and determine what software is blocked or permitted.

  • Fix issues without introducing breaking changes

    Get the recommended smallest update to fix vulnerabilities in direct and transitive dependencies without the risk of breaking critical functions. Fix multiple issues at once with the flexibility of selecting granular versions per package.

  • Build out a software bill of materials

    Cortex Cloud will locate dependencies in repositories and build a software bill of materials (SBOM) and infrastructure bill of materials (IBOM), and export in the standard formats.

Fully integrated with flexible fixes

OSS license compliance

Don’t wait until a manual compliance review to find out that an open source library isn’t compliant with your license usage requirements. Cortex Cloud catalogs open source licenses for dependencies and can alert or block deployments based on customizable license policies:

  • Avoid costly open source license violations

    Surface feedback early and block builds based on open source package license violations with support for all the popular languages and package managers.

  • Leverage default policies based on standard industry use

    Out-of-the-box policies come with opinionated levels of severity for common license types and pattern matching for nonstandard license type language to simplify determining acceptable use.

  • Create customized policies to enforce internal compliance requirements

    Set rules based on license type to match internal requirements for copyleft and permissive licenses. By blocking policy violations early via DevOps tools integrations, organizations avoid the headache of dealing with license noncompliance down the line.

OSS license compliance

Additional Application Security capabilities

INFRASTRUCTURE AS CODE SECURITY

Automated IaC security embedded in developer workflows

APPLICATION SECURITY POSTURE MANAGEMENT

Block risks from reaching production and quickly remediate issues at the source.

SOFTWARE SUPPLY CHAIN SECURITY

Harden your CI/CD pipelines, reduce your attack surface and protect your application development environment.

SECRETS SECURITY

Full-stack, multidimensional secrets scanning across repos and pipelines.