Software Composition Analysis with Code Security

Showing results for 
Show  only  | Search instead for 
Did you mean: 
L4 Transporter

By Carlos Martins Jr., Customer Success Engineer


The software development landscape is always changing. New languages come and go, development speed is always increasing and security practices evolve daily. In such a fast paced corner of the industry, software developers are finding more and more that addressing security and compliance issues earlier on in the development process is their best chance for smooth sailing and success. At Palo Alto Networks, we believe in the “Shift Left Security” approach to development, which can be simply described as scanning your IaC and software packages before they’re deployed into a test environment. Shift Left Security places a focus on catching compliance and vulnerability issues during the initial development stages of a project, thus preventing the scenario of a security measure being missed in production. 


Software Composition Analysis (SCA) is a concept that helps the “Shift Left Security'' approach reach its potential. SCA provides a deep analysis of open source packages in use by an application. SCA highlights vulnerabilities and licenses in dependencies for risk and compliance assessments, and it can generate a software bill of materials (SBOM) of all resources to share with internal stakeholders and external customers. The graphic below shows a high level view of where SCA falls in the development process. In practice, SCA becomes an integral part of the development pipeline, regularly checking code for licensing issues and vulnerabilities in dependencies throughout the code base.





Our Prisma Cloud Code Security offering now features SCA as a part of the standard scanning procedure performed on any supported IaC repository. If you’re wondering how these SCA features can benefit you and your organization, let's take a look at how Prisma Cloud Code Security provides you with results.

Software Composition Analysis and Developers


In a real world scenario, developers are going to use a mix of closed and open source packages in their work, depending on what they are trying to accomplish. In a situation where open source packages are used, there are some things to take into consideration. Open source packages are often maintained and owned by a third party, many of which will vary widely in their sense of responsibility for updating and maintaining their packages. Many of these third parties also have open source licenses associated with their packages which dictate in legal terms how their software can or can not be used or distributed. (You can learn more about open source licenses here: These responsibilities and considerations are then passed on to a company's developers, leaving them with decisions to make on how to best move forward with software package updates and licensing obligations. 


Prisma Cloud Code Security scans can take the leg work out of determining what licenses and vulnerabilities your developers need to worry about in their IaC files. Let’s take a look at some of the information you can get out of the SCA scans. 


The images below are examples of the “Projects” section of the Code Security UI, showing license and vulnerability results from a scan of my “supplygoat” repository in Github. In the first image you can see multiple scan results including vulnerable packages and license considerations found during the SCA portion of the IaC scan.





Let’s take a closer look at “aiohttp v3.7.4” in the image below. We can see that the scan identified this package as having a vulnerability with a high risk level and has a fix available. The developer is provided information about the vulnerability, including the date the vulnerability was published, risk factors involved and if it has a fix. This information is shown on the right side of the UI, alongside the larger list of results, so you can easily go down the list to consider or address each identified issue with all relevant details on display.




The “mysqlclient:2.1.0” package in the image below, shows how the scan provides information about open source licenses. The scan provides the license type, whether or not the license is compliant, which organizations have approved the license, and root or dependency package identification. This information can tell developers exactly what they need to look for with regards to licensing requirements, as well as whether or not it’s a dependency of some other package in the code base.




Another function of SCA is the Software Bill of Materials (SBOM). The SBOM lists details about the package version as well as known vulnerabilities and licenses for each component in use. An SBOM is very handy for getting the information to a wider audience who might not have access to Prisma Cloud Code Security. Using Python as an example, the SBOM will include all the packages listed in import statements, such as “httplib2”, along with the version number, discovered vulnerabilities and licenses for each package. Prisma Cloud Code Security allows users to download an SBOM in either CycloneDX or CSV format. You can find the option to generate an SBOM in the “Supply Chain” section of the Code Security UI. The SBOM generator will open as shown in the image below, giving the user the option to choose which repository they want, what format and which types of materials to list. Click “Download” and the relevant files will be saved to the user’s computer.





How Does SCA Scanning Fit Into Your DevOps Pipeline?


The answer to this question is simple. It becomes an integral step in the IaC code scans, wherever they are integrated in your CI/CD process! Where you implement IaC scanning in your process is flexible, but there are several options and recommendations available to make it easier for everyone. 


Prisma Cloud Code Security offers a wide variety of ways to integrate Code Security with your existing development environments. This includes directly integrating with SCM tools such as Github, Gitlab, Bitbucket, Azure Repos, etc. This type of integration provides you with a regular scan of the entire chosen repository. 


Developers might also want to add IaC scanning as a step in a development pipeline such as a Jenkins pipeline or a CircleCI job. We offer several integration options for CI/CD tools that allow developers to make IaC scans a regular part of their development process, automatically scanning and storing results from each CI build for compliance, audit or regulation purposes. This is where SCA results can make a significant difference and put the information in front of the relevant parties.


Developers also have the added benefit of using standalone scanning tools such as Checkov, Bridgecrew CLI and the IDE extensions for VScode and IntelliJ. These tools can be leveraged on the developer desktop to perform ad-hoc scans of local code before it even reaches the CI steps of development. These features shift security as far left as it can reasonably go in any organization.



If you’re looking for a way to cut down on vulnerabilities, misconfigurations and licensing issues in your IaC code, Prisma Cloud Code Security is going to make all the difference. With several features like the ones provided by Code Security’s SCA, developers are given the ability to make critical decisions about how they create and maintain all future IaC projects. Not only can they make these decisions, but they can make them earlier than ever before. In my personal opinion, the features offered by Code Security are ultimately geared towards saving developers and their organizations time. Time that would otherwise be spent revisiting months of work such as: coding that leveraged an open source package with an incredibly restrictive license associated with it or a highly vulnerable package that hasn’t been updated in over a year! 

That time can be spent instead on moving projects forward with fewer roadblocks and misconfigurations. It will help save time on large projects, implementation and troubleshooting, which ultimately saves the company money. What organization doesn’t like to save time and money? 




If you are interested in learning more about Prisma Cloud Code Security and Software Composition Analysis, check out these links:




L0 Member

Hi, thank you for the article.


I would like to know if SCA can work in an on-prem environment not normally reachable from outside the corporate network.  Presuming that we could have our network team allow whitelisted traffic inbound, would this solution be viable?



L0 Member

Hi @CPeters13 


It sounds like you might benefit from the Network Tunnel Transporter. This would allow you to scan your local VCS on-prem and get the results back up to Prisma Cloud without having to open your local VCS to internet traffic:


Hope that helps!

Register or Sign-in
Top Liked Authors