Manage and Activate Software Composition Analysis (SCA) Scan

Software composition refers to the use of open-source and third-party libraries within applications. Software Composition Analysis (SCA) is a core capability in Qualys TotalCloud, identifying vulnerabilities, licensing risks, and security weaknesses in open-source components and third-party libraries. It provides continuous visibility into the software supply chain to strengthen workload integrity and compliance.

By integrating SCA into Snapshot-Based Assessments, you can detect risks in open-source packages without impacting live environments, ensuring that all workloads align with secure development and deployment practices.

Benefits of SCA Scan

• Detects vulnerabilities in open-source and third-party dependencies.
• Improves compliance with open-source licensing and security standards.
• Increases visibility into software packages across cloud environments.
• Reduces exposure from outdated, unmaintained, or insecure libraries.

Set Up SCA Scan with AWS Snapshot-Based Scan

You need an existing or new AWS connector to enable SCA Scan within an AMI or Snapshot-Based Scan.

1. Create a new AWS connector or edit an existing one.
2. Go to the Tags and Activation section and select Enable SCA under the Enable Zero-touch Snapshot Based Scan checkbox.
   
3. In the snapshot-based scan settings for service accounts, set the SCA parameter to Enabled. For more information about service account configuration, see Snapshot-Based Scan.
4. Specify include directories and exclude directories to define the scope of analysis. By default, all directories are scanned.
5. Adjust the SCA Scan Timeout (default: 120 seconds) according to workload size.
6. Review detected open-source risks in the SCA Findings section in TotalCloud.

SCA Scan enhances software supply chain security by delivering visibility into open-source risks. Its integration with snapshot-based scanning enables accurate, non-intrusive detection across workloads and environments.