Software Composition Analysis

Overview

Software Composition Analysis (SWCA) enables organizations to assess the security posture of workloads that are not currently running or reachable, by analyzing their configuration files at rest. Whether stored in cloud storage, container registries, or offline snapshots, SWCA helps detect misconfigurations and policy violations before deployment.

This passive, file-based scanning approach complements traditional agent-based or scan-based assessments and supports pre-deployment security checks in CI/CD pipelines, container environments, and golden image validation processes.

Key Benefits:

• Assess workloads without requiring live or running systems
• Detect misconfigurations in VM images, containers, and offline assets
• Automate security checks during DevOps workflows
• Leverage Qualys Policy Compliance (PC) and File Integrity Monitoring (FIM) rules

Who Should Use This Guide?

• DevSecOps and Cloud Security Engineers
• Security Architects designing shift-left programs
• Compliance Officers validating system hardening
• Infrastructure and DevOps Teams managing VM templates and container images

Before You Begin

• Access to the Qualys SWCA application within your subscription
• Static configuration files available in supported formats (e.g., /etc, config folders, registry exports)
• Optional: Cloud storage integrations or container registry access configured
• Relevant compliance policies or rulesets available in the Qualys platform

What You’ll Learn

• Understanding SWCA architecture and workflow
• Creating and uploading a configuration snapshot or workload package
• Assigning policies for assessment
• Viewing and interpreting scan results in the Qualys UI
• Integrating with DevOps pipelines and third-party tools

Deployment Highlights

• No agent or live connectivity needed
• Works with Linux, Windows, and container workload configurations
• Integrates with CI/CD tools via API and file upload workflows
• Supports security automation and golden image validation

Related Resources

• Qualys Policy Compliance (PC)
• Qualys File Integrity Monitoring (FIM)
• Qualys DevOps Integrations

Need Help?

For onboarding support, advanced policy mapping, or pipeline integration help, contact your Qualys Technical Account Manager or visit the Qualys Community. For technical troubleshooting, reach out to Qualys Support.