TABLE OF CONTENTS

Overview

The Code Repositories page displays all the code repositories from different Source Code Management (SCM) tools that have been registered with Aqua from the Integrations page. This page also displays the predefined checks that have been used to scan the repositories in the Checks tab.


In the Supply Chain Security module, from the left menu, when you select Code Repositories, you will see the Code Repositories page as shown below.



The screen is organized into two tabs: Repositories and Checks


Code repositories

This tab shows all the code repositories that have been integrated with Aqua and security findings detected in these repositories after scanning them. 


From this tab, you can:

  • View details of the repository such as its system (Source Code Management tool), compliance status after applying all the predefined checks provided by Aqua, and the last scanned details
  • Obtain a summary of the security findings detected in each repository and further categorization by their severity. These security findings are vulnerabilities, misconfigurations, sensitive data such as passwords or tokens, and misconfigurations detected in the pipelines connected to the specific repository
  • Sort the repositories according to the severity of the vulnerabilities detected, at the top of the page
  • View scan detailed view on clicking a repository. Refer to Code Repository Scan Detailed View for more information.
  • Add a new code repository from the already integrated Source Code Management tools. For more information, refer to Add a new repository below.


Other controls

The following controls appear at the right middle of the page:

  • Search: the repository by its name
  • Filter: the repositories by system (Source Code Management tool), compliance status with the applicable Build Assurance Policies, topic name which is used in either GitHub or GitLab to categorize repositories, type of security findings detected, and the last build time of the code in the repository
  • Remove: select one or more repositories from the list and click this button to remove them from Aqua
  • Export: to export the list of repositories with full details in a csv file



Add a new repository

After a Source Code Management tool is integrated, you can add any number of code repositories in the Source Code Management tool to Aqua, from the Code Repositories page. You can add a new repository either through the Automatic or CI Integrations method. 


When a repository is added through the Automatic method, Aqua checks every minute if there are any builds on the added repositories after their last scan. If there are any builds, Aqua triggers scanning the repository again to detect security findings in the latest build process.


To add a new repository through the Automatic method:

  1. Click Add New Repository.
  2. In the Add New Repository dialog, select the Automatic tab.
  3. From the Provider dropdown, select the already integrated Source Code Management tool.
  4. In the repository search box, search for a repository with its name.
  5. After selecting the required repository, click Done.



To add a new repository through the CI Integrations method:

  1. In the Add New Repository dialog, select the CI Integrations tab.
  2. From the build system type dropdown, select the already integrated system.
  3. Perform actions by referring to the Code Repository Integrations document > CI Integration section.



Effects of RBAC

The logged-in user's application scope determines the code repositories listed on the screen.


Checks

This page shows all the predefined checks which detect security issues in all the repositories. On clicking any check, all the non-compliant repositories with the highest detected severity are displayed. If you click the repository name from the list, you will be navigated to the specific repository scan detailed view.



You can search any check with its ID and filter the checks by:

  • Policy Severity: Shows all the failed checks on the repositories which have vulnerabilities with the selected severity.
  • Repository name: shows all the failed checks on the entered repository.
  • Provider Service: Enter the provider in service on which your code repositories are hosted. For example: S3 from AWS. This filter helps with filtering checks which were designed for the provider on which your repositories are hosted.