diff --git a/.github/workflows/system-tests.yml b/.github/workflows/system-tests.yml
index 982b11d9e97..41e3e5bc006 100644
--- a/.github/workflows/system-tests.yml
+++ b/.github/workflows/system-tests.yml
@@ -11,6 +11,8 @@ on:
 env:
   REGISTRY: ghcr.io
   REPO: ghcr.io/datadog/dd-trace-rb
+  ST_REF: main
+  FORCE_TESTS:
 
 jobs:
   build-harness:
@@ -31,6 +33,7 @@ jobs:
         uses: actions/checkout@v4
         with:
           repository: 'DataDog/system-tests'
+          ref: ${{ env.ST_REF }}
       - name: Pull released image
         run: |
           if docker pull ${{ env.REPO }}/system-tests/${{ matrix.image.name }}:latest; then
@@ -100,6 +103,7 @@ jobs:
         uses: actions/checkout@v4
         with:
           repository: 'DataDog/system-tests'
+          ref: ${{ env.ST_REF }}
       - name: Checkout ${{ matrix.library.repository }}
         uses: actions/checkout@v4
         with:
@@ -242,6 +246,7 @@ jobs:
         uses: actions/checkout@v4
         with:
           repository: 'DataDog/system-tests'
+          ref: ${{ env.ST_REF }}
       - name: Pull runner image
         run: |
           docker pull ${{ env.REPO }}/system-tests/runner:gha${{ github.run_id }}-g${{ github.sha }}
@@ -262,7 +267,8 @@ jobs:
         run: |
           docker image list
       - name: Run scenario
-        run: ./run.sh ++docker ${{ matrix.scenario }}
+        run: |
+          ./run.sh ++docker ${{ matrix.scenario }} ${{ env.FORCE_TESTS }}
         env:
           DD_API_KEY: ${{ secrets.DD_APPSEC_SYSTEM_TESTS_API_KEY }}
       - name: Archive logs
@@ -304,6 +310,7 @@ jobs:
         uses: actions/checkout@v4
         with:
           repository: 'DataDog/system-tests'
+          ref: ${{ env.ST_REF }}
       - name: Retrieve logs
         uses: actions/download-artifact@v4
         with:
diff --git a/lib/datadog/appsec/configuration/settings.rb b/lib/datadog/appsec/configuration/settings.rb
index 05f50449ac9..87f7148f7d0 100644
--- a/lib/datadog/appsec/configuration/settings.rb
+++ b/lib/datadog/appsec/configuration/settings.rb
@@ -192,6 +192,11 @@ def self.add_settings!(base)
                   end
                 end
               end
+
+              option :sca_enabled do |o|
+                o.type :bool, nilable: true
+                o.env 'DD_APPSEC_SCA_ENABLED'
+              end
             end
           end
         end
diff --git a/lib/datadog/appsec/contrib/rack/request_middleware.rb b/lib/datadog/appsec/contrib/rack/request_middleware.rb
index 81113e5c57e..55323226019 100644
--- a/lib/datadog/appsec/contrib/rack/request_middleware.rb
+++ b/lib/datadog/appsec/contrib/rack/request_middleware.rb
@@ -15,7 +15,6 @@ module Datadog
   module AppSec
     module Contrib
       module Rack
-        # Create an array of lowercased headers
         WAF_VENDOR_HEADERS_TAGS = %w[
           X-Amzn-Trace-Id
           Cloudfront-Viewer-Ja3-Fingerprint
diff --git a/lib/datadog/core/telemetry/event.rb b/lib/datadog/core/telemetry/event.rb
index 4c85f94da87..40fa9d95554 100644
--- a/lib/datadog/core/telemetry/event.rb
+++ b/lib/datadog/core/telemetry/event.rb
@@ -113,7 +113,10 @@ def configuration
               conf_value('tracing.opentelemetry.enabled', !defined?(Datadog::OpenTelemetry::LOADED).nil?),
             )
             list << conf_value('logger.instance', config.logger.instance.class.to_s) if config.logger.instance
-            list << conf_value('appsec.enabled', config.dig('appsec', 'enabled')) if config.respond_to?('appsec')
+            if config.respond_to?('appsec')
+              list << conf_value('appsec.enabled', config.dig('appsec', 'enabled'))
+              list << conf_value('appsec.sca_enabled', config.dig('appsec', 'sca_enabled'))
+            end
             list << conf_value('ci.enabled', config.dig('ci', 'enabled')) if config.respond_to?('ci')
 
             list.reject! { |entry| entry[:value].nil? }
@@ -242,15 +245,30 @@ def initialize(changes, origin)
           end
 
           def payload(seq_id)
-            {
-              configuration: @changes.map do |name, value|
-                {
-                  name: name,
-                  value: value,
-                  origin: @origin,
-                }
-              end
-            }
+            { configuration: configuration(seq_id) }
+          end
+
+          def configuration(seq_id)
+            config = Datadog.configuration
+
+            res = @changes.map do |name, value|
+              {
+                name: name,
+                value: value,
+                origin: @origin,
+              }
+            end
+
+            unless config.dig('appsec', 'sca_enabled').nil?
+              res << {
+                name: 'appsec.sca_enabled',
+                value: config.appsec.sca_enabled,
+                origin: 'code',
+                seq_id: seq_id,
+              }
+            end
+
+            res
           end
         end
 
diff --git a/spec/datadog/appsec/configuration/settings_spec.rb b/spec/datadog/appsec/configuration/settings_spec.rb
index 39c1fd42cb2..a19a0a94550 100644
--- a/spec/datadog/appsec/configuration/settings_spec.rb
+++ b/spec/datadog/appsec/configuration/settings_spec.rb
@@ -711,5 +711,51 @@ def patcher
         end
       end
     end
+
+    describe 'sca' do
+      describe '#enabled' do
+        subject(:sca_enabled) { settings.appsec.sca_enabled }
+
+        context 'when DD_APPSEC_SCA_ENABLED' do
+          around do |example|
+            ClimateControl.modify('DD_APPSEC_SCA_ENABLED' => sca_enabled_value) do
+              example.run
+            end
+          end
+
+          context 'is not defined' do
+            let(:sca_enabled_value) { nil }
+
+            it { is_expected.to eq nil }
+          end
+
+          context 'is defined as true' do
+            let(:sca_enabled_value) { 'true' }
+
+            it { is_expected.to eq true }
+          end
+
+          context 'is defined as false' do
+            let(:sca_enabled_value) { 'false' }
+
+            it { is_expected.to eq false }
+          end
+        end
+      end
+
+      describe '#enabled=' do
+        subject(:set_sca_enabled) { settings.appsec.sca_enabled = sca_enabled }
+
+        [true, false, nil].each do |value|
+          context "when given #{value}" do
+            let(:sca_enabled) { value }
+
+            before { set_sca_enabled }
+
+            it { expect(settings.appsec.sca_enabled).to eq(value) }
+          end
+        end
+      end
+    end
   end
 end
diff --git a/spec/datadog/core/telemetry/event_spec.rb b/spec/datadog/core/telemetry/event_spec.rb
index 856c576d109..32d83e54fc4 100644
--- a/spec/datadog/core/telemetry/event_spec.rb
+++ b/spec/datadog/core/telemetry/event_spec.rb
@@ -24,6 +24,7 @@
         c.telemetry.install_id = 'id'
         c.telemetry.install_type = 'type'
         c.telemetry.install_time = 'time'
+        c.appsec.sca_enabled = false
       end
     end
 
@@ -69,6 +70,7 @@ def contain_configuration(*array)
           ['tracing.opentelemetry.enabled', false],
           ['logger.instance', 'MyLogger'],
           ['appsec.enabled', false],
+          ['appsec.sca_enabled', false]
         ),
         install_signature: { install_id: 'id', install_time: 'time', install_type: 'type' },
       )
@@ -170,6 +172,24 @@ def contain_configuration(*array)
         }]
       )
     end
+
+    context 'with env_var state configuration' do
+      before do
+        Datadog.configure do |c|
+          c.appsec.sca_enabled = false
+        end
+      end
+
+      it 'includes sca enablement configuration' do
+        is_expected.to eq(
+          configuration:
+          [
+            { name: name, value: value, origin: origin },
+            { name: 'appsec.sca_enabled', value: false, origin: 'code', seq_id: id }
+          ]
+        )
+      end
+    end
   end
 
   context 'AppHeartbeat' do