TABLE OF CONTENTS

Overview

The Code Repositories page displays all the code repositories from different source code management tools that have been registered with Aqua from the Integrations page.


In the Supply Chain Security module, from the left menu, when you select Code Repositories, you will see the Code Repositories page as shown below.



Supported programming languages and package managers for scanning

Aqua scans the following programming languages and package managers in the code repositories, to detect risks:


Programming languageManifest files
C/C++
  • conan.lock
Go
  • Binaries built by Go
  • go.mod
Java
  • gradle.lockfile
  • JAR/WAR/PAR/EAR
  • pom.xml
.NET
  • .deps.json
  • Nuget non-lock file (*proj)
  • packages.lock.json
  • packages.config
Node.js
  • package.json
  • package-lock.json
  • pnpm-lock.yaml
  • yarn.lock
PHP
  • composer.lock
Python
  • egg package
  • Pipfile.lock
  • poetry.lock
  • requirements.txt
  • wheel package
Ruby
  • Gemfile.lock
  • gemspec
Rust
  • Binaries built with cargo-auditable
  • Cargo.lock


Code repositories

This tab shows all the code repositories that have been integrated with Aqua and security findings detected in these repositories after scanning them.


From this tab, you can:

  • View details of the repository such as its system (source code management tool), compliance status after applying all the predefined checks provided by Aqua, and the last scanned details.
  • See the status of each code repository scan. If the scan is successful, a summary of the security findings detected in the code repository is displayed in the Security Findings column. If the scan is failed, an error message is displayed in the Security Findings column. The scan can be failed for any reason such as "code repository not found in the source code management application".
  • Obtain a summary of the security findings detected in each repository and further categorization by their severity. These security findings are vulnerabilities, IaC misconfigurations, sensitive data instances such as passwords or tokens, misconfigurations detected in the pipelines connected to the specific repository, and SAST results.
  • Filter the code repositories by the severity of the security issues detected, at the top of the page
  • View scan detailed view on clicking any code repository. Refer to Code Repository Scan Detailed View for more information.
  • Add a new code repository from the already integrated source code management tools. For more information, refer to the Add a new repository section below.


Other controls

The following controls appear at the right middle of the page:

  • Search: the repository by its name
  • Filter: the repositories by system (source code management tool), compliance status with the applicable Assurance Policies, topic name which is used in either GitHub or GitLab to categorize code repositories, type of security findings detected, and the last build time of the code in the repository
  • Remove: select one or more code repositories from the list and click this button to remove them from Aqua
  • Export: to export the list of code repositories with full details in a csv file
  • Scan: select one or more code repositories and click this button to scan them again.



With the Scan option:

- You can only scan code repositories that were added through the Source Code Management method.
- You are not allowed to scan more than 10 code repositories at once.




Add a new repository

After a source code management tool is integrated, you can add any number of code repositories in the source code management tool to Aqua, from the Code Repositories page. You can add a new repository either through the Source Code Management or CI Integrations method.


When a repository is added through the Source Code Management method, Aqua checks every minute if there are any builds on the added repositories after their last scan. If there are any builds, Aqua triggers scanning the repository again to detect security findings in the latest build process.


To add a new code repository through the Source Code Management method:

  1. Click Add New Repository.
  2. In the Add New Repository dialog, select the Source Code Management tab.
  3. From the Provider dropdown, select the already integrated source code management tool.
  4. In the repository search box, search for a repository with its name.
  5. After selecting the required repository, click Done.



To add a new repository through the CI Integrations method:

  1. In the Add New Repository dialog, select the CI Integrations tab.
  2. From the build system type dropdown, select the already integrated system.
  3. Perform actions by referring to the Code Repository Integrations document > CI Integrations section.



Effects of RBAC

The logged-in user's application scope determines the code repositories listed on the screen.