Qualys Container Security supports Software Composition Analysis (SCA) scanning of container images. An SCA scan discovers installed open source software and libraries, as well as associated vulnerabilities, present in your container images.
While evaluating the security posture of container images, it is important to identify all software packages present in the image. The SCA scan can be used to identify programming language-based software packages inside the image. The SCA scan detects packages for these programming languages: Java, Python, Go, Node.js, .NET, PHP, Ruby, and Rust.
SCA scanning is available for all sensor types (General, Registry, and CI/CD), and is supported for Docker, containerd, and CRI-O runtimes. Also, SCA scanning is only supported when scanning container images. SCA scanning is not supported for Mac OS.
When enabled, an SCA scan is performed after a standard vulnerability scan (Static or Dynamic) on your container images. When the SCA scan completes, the sensor uploads the metadata information collected by the scan to the Qualys backend where posture evaluation is performed. You can view SCA scan data findings in the Container Security UI and API as part of image details.
The response for several Image APIs will show you the scan types used to scan images (SCA, Dynamic, Static). You’ll also see the software packages and vulnerabilities that were detected by SCA scans.