Introducing Software Composition Analysis: Developer-first open source security

Modern applications now rely more than ever on open-source software (OSS) to deliver performant code fast. By leveraging open-source code components, developers can hit the ground running and focus their energy on producing high-value proprietary code. Despite the benefits, using OSS means your team is unwittingly taking on an additional source of risk.

Open source code components introduce license compliance risks and frequently contain vulnerabilities. And given the fact that open-source software now comprises about 90% of modern codebases, it’s critical that your cloud-native team adopts a strategy to get ahead of your OSS risks.

At Bridgecrew, we believe the best way to do that is to empower those that have the most impact on how applications are built—developers.

We’re excited to add Software Composition Analysis (SCA) to our developer-first code security platform to provide vulnerability scanning and license compliance that’s embedded into developer workflows and built on top of our infrastructure foundation.

Bridgecrew's Projects screen with a display of vulnerabilities and licenses

What is Bridgecrew’s approach to software composition analysis?

With the rising popularity of OSS in cloud-native apps and the fact that existing SCA point solutions are siloed and reactive, we see an opportunity to take a more modern and developer-centric approach to open source security. Bridgecrew SCA fits into our existing framework of developer and DevOps integrations so that vulnerability and license compliance scanning is embedded into developer tools and workflows. Bridgecrew also enables you to adopt DevSecOps for your OSS through automated security guardrails and alerts.

And to give you an industry-leading depth of open source coverage, Bridgecrew SCA leverages Prisma Cloud’s proprietary threat research and the most trusted vulnerability databases, supports all the popular open-source package managers and languages, and provides granular version bump fixes in code. When paired with our developer-first approach, you’ll be empowered with deep and cohesive SCA so that you can ship secure code fast.

Developer-first integrations

You can leverage Checkov, our open-source CLI tool, to get local feedback on files and directories. And when you enable Bridgecrew’s integrated development environment (IDE) plugins, you can get notified of vulnerabilities as your developers build applications. Bridgecrew also surfaces feedback in version control systems (VCS) in the form of pull/merge request checks, guardrails, and comments, as well as build steps within CI/CD pipelines.

Bridgecrew surfaces SCA feedback in existing developer tools and workflows

Infrastructure-aware

By bringing the worlds of IaC and open source security together, Bridgecrew uniquely provides the context of vulnerabilities within the broader cloud-native environment. This connection enables you to identify vulnerabilities embedded in container dependencies and helps you prioritize and address vulnerabilities faster.

Imagine that you’re creating a CI/CD pipeline using a container for running tests, or that you’re writing Kubernetes manifests that pull images to add to a pod. If you blindly pull those images off the shelf by leveraging OSS, you may be introducing vulnerabilities into your environment. Bridgecrew will now automatically detect pulled images and scan them for vulnerabilities and will surface those vulnerabilities next to your IaC scan results.

Bridgecrew surfaces vulnerabilities next to your IaC scan results

In addition to SCA, Bridgecrew now also supports consolidated software bill of materials (SBOM) generation. By generating an SBOM in Bridgecrew, you’ll get a log of IaC resources and open-source packages along with their associated misconfigurations, vulnerabilities, and licenses.

An SBOM generated by Bridgecrew, which displays information such as IaC resources and open source packages

Limitless dependency scanning

OSS is incredibly dependency-driven, and each package version may change critical functionality, so without complete visibility into or guidance throughout dependency trees, vulnerabilities go undetected or unfixed. By fully extrapolating dependency trees and providing granular version bump fix suggestions at any layer, Bridgecrew provides deep open-source coverage and enables you to implement changes safely.

Bridgecrew extrapolates dependency trees and provides granular version bump fix suggestions at any layer

Getting started with Bridgecrew SCA

Securing your cloud-native apps and infrastructure starts with adopting a proactive approach to open source security. Bridgecrew empowers you to get ahead of open source risk by enabling you to address vulnerabilities at the source. And with our developer-friendly integrations, consolidated code security data model, and complete dependency tree extrapolation, you can get seamless OSS security to help you ship secure code fast.

All Bridgecrew capabilities, including SCA, are also a part of Prisma Cloud’s industry-leading cloud-native application protection platform (CNAPP). To see Prisma Cloud SCA in action, register for an upcoming product deep dive session.