Introduction

While evaluating the security posture of an asset, it is important to identify all software packages present on the asset.

Qualys supports Software Composition Analysis (SwCA) scanning of assets. An SwCA scan discovers installed open-source software, libraries, and associated vulnerabilities on your asset. The SwCA scan identifies programming language-based software packages on the asset.For supported of list of supported languages, see Supported Languages section.

With SwCA feature, you can detect, manage, and proactively address the potential risk of software supply chain vulnerabilities in the production environment.

You can schedule a SwCA scan or launch the scan on demand. With the SwCA scan profile, you can define the scan scope, scan interval, and scan timeout.

The SwCA scan results are displayed in CyberSecurity Asset Management (CSAM). For details, see SwCA Scan Data in CyberSecurity Asset Management.

SwCA is supported only for Windows and Linux Platforms and can be activated only when VM is activated for the agent.

This feature will be available only when the Windows and Linux agent binaries with SwCA scan support are available. For supported agent versions, refer to the Features by Agent Version section in the Cloud Agent Platform Availability Matrix.