TABLE OF CONTENTS

• Overview
• Review security findings in the code repositories
• Code Repository scan detailed view
  • Overview tab
  • Vulnerabilities tab
  • Sensitive Data tab
  • SAST tab
  • IaC tab
  • Pipelines tab
  • Builds tab
  • Dependencies tab
  • Artifacts tab
  • Tool Chain tab
  • Security issue detailed view
  • Suppress a security issue

Overview

This topic explains the security issues found in a code repository during its scanning and all the information about the repository and its scan results in the repository detail view.

Review security findings in the code repositories

In the Code Repositories page, the following information is displayed related to the security posture of the code repositories:

• At the top of the page, the number of repositories having the security issues of each severity type is displayed with distinct color codes.
• Security Findings column of the repositories shows the following security issues with different severities, represented with distinct color codes:
  • Vulnerabilities
  • IaC misconfigurations
  • Sensitive data
  • Pipeline misconfigurations
  • SAST results

Security findings detected in different repositories are shown in the following example:

Code Repository scan detailed view

You should click the repository name to see a detailed view and its scan results. Repository scan detailed view consists of the following tabs and are explained in the different sections below:

• Overview
• Vulnerabilities
• Sensitive Data
• SAST
• IaC
• Pipelines
• Builds
• Dependencies
• Artifacts
• Tool Chain

Overview tab

This tab shows the following information:

• Code Repository compliance status
• Full details of the code repository
• Details widgets showing the number and severities of vulnerabilities, misconfigurations, and instances of sensitive data in different pie charts

Vulnerabilities tab

This tab shows the following basic information of the vulnerabilities:

• Vulnerability ID: CVE ID of the vulnerability assigned by NVD
• Title: of the vulnerability
• File Path: file in the code repository which has packages in which vulnerability was detected
• Package: package in the code repository in which vulnerability was detected
• Reachable: A checkmark indicates the reachability of the vulnerability to the packages (Yes/No). For more information, refer to the Vulnerability detailed view section below.
• Direct: A checkmark indicates if the vulnerability was detected in the direct package. The direct package may depend on the indirect packages at one or multiple levels.
• Vendor fix: A checkmark indicates the availability of a software vendor fix for the vulnerability (Yes/No)
• Severity: of the vulnerability: Critical, High, Medium, Low, or Unknown

Other controls - Vulnerabilities tab

• Sort: The list can be filtered by one of the vulnerability severity levels: critical, high, medium, low, or unknown at the top of the page. The following screenshot shows the list filtered with vulnerabilities of the medium severity:
• Group: the list of vulnerabilities using the Group By drop-down menu with the following options:
  • Vulnerability: by the specific vulnerability detected in the code repository
  • File: in which the vulnerabilities are detected
• Filter: the vulnerabilities using the following options:
  • Vendor fix: (Yes/No)
  • Reachable: Reachability of the vulnerability to the packages (Yes/No). For more information, refer to the Vulnerability detailed view section below.
  • Package name (in the code repository): Enter the package name to filter the vulnerabilities detected in it
  • File path (in the code repository): Enter the file path to filter the vulnerabilities detected in it; one or multiple packages are stored in a file path in the code repository
• Search: any vulnerability by its CVE ID or name
• Export: click this button to export all the vulnerabilities in a CSV file

Vulnerability detailed view

On clicking any row in the Vulnerabilities tab, you can see a window that provides full details of the vulnerability. This window has two tabs which shows the following information:

• Info: Shows full details of the vulnerability such as its source details having link to navigate to the repository, scan details which detect the vulnerability.
• Reachability: When developing your application, you can use different packages in the code repository. These packages may contain vulnerabilities. This tab shows the reachable path(s) found in the code instances of these packages to the functions that may expose your application to the specific vulnerability. On clicking the reachable path, you can navigate to the specific line in the code instance which exposes to the vulnerability. This analysis provides more granular information to understand whether an existing vulnerability is reachable to the packages in your code repository. If a vulnerability is reachable, you may prioritize fixing it.

Aqua supports indicating the reachability of vulnerabilities in the following package managers only:

- NPM
- PyPi

Suppress vulnerability

In the vulnerability detailed view, you can suppress that particular vulnerability, which will temporarily dismiss the corresponding findings, starting from the moment the suppression is applied. However, it is important to note that existing findings of the same vulnerability cannot be suppressed. For more information, refer to the Suppress security issue section below.

Sensitive Data tab

Each entry (row) in this tab is an instance of sensitive data detected in a resource. Therefore, if a given instance of sensitive data was found in N resources, it will appear in the list N times.

The row corresponding to each instance of sensitive data contains the following information:

• List of all instances of sensitive data such as passwords or keys. The list can be filtered by one of the sensitive data severity levels: critical, high, medium, low, or unknown at the top of the page.
• Basic information of all instances of sensitive data such as the check which detected the instance, the file path and resource in which it is detected, and its severity.

• Sensitive data detail view: click any row in the list to see a window that provides full details about the sensitive data and the check which detected the instance, as shown below. You can click the sensitive data reference in the window to navigate directly to the code snippet in the code repository in which this instance of sensitive data is found.

Other controls - Sensitive Data

Refer to the Other controls - IaC misconfigurations section below to see all the controls used to search, filter, group, and export all the instances of sensitive data detected in the code repository.

Suppress the sensitive data instance

In the sensitive data detailed view, you can suppress that particular sensitive data instance, which will temporarily dismiss the corresponding findings, starting from the moment the suppression is applied. However, it is important to note that existing findings of the same sensitive data instance cannot be suppressed. For more information, refer to the Suppress security issue section below.

SAST tab

This tab shows the results of Static Application Security Testing (SAST) checks performed on your application code. These results help developers identify security issues in the initial stages of development and resolve the issues to prevent passing the security issues to the next phase of the SDLC (Software Development Lifecycle).

Aqua performs SAST checks on the packages developed in the following programming languages:

• Bash (beta)
• C (beta)
• C#
• C++ (beta)
• Dockerfile (beta)
• Elixir (beta)
• Go
• HTML (beta)
• Java
• JavaScript
• JSON
• JSX
• Kotlin (beta)
• Lua (beta)
• OCaml (beta)
• PHP
• Python
• R (beta)
• Ruby
• Rust (beta)
• Scala
• Solidity (beta)
• Swift (beta)
• Terraform
• TSX
• TypeScript

The SAST results show the presence of security issues in your application code. Each security issue is assigned severity which will help you to prioritize fixing the issues. This tab shows the following information:

• List of all SAST results detected in the code repository
• Shows the following basic information for each SAST result in the list:
  • SAST check ID
  • Common Weakness Enumeration (CWE) number: explains the vulnerability detected in the application code
  • File Path: in the code repository which has resources in which the security issue was detected
  • Category: of the security issues such as Best Practice, Correctness, Maintainability, Performance, Portability, and Security
    • Sub-category: After the category of the security issue, sub-category ("vulnerability" or "audit") is also displayed. Security issues of the "vulnerability" sub-category are useful to the developers for fixing them. Security issues of the "audit" sub-category are useful to the code auditors.
  • Severity of the result: Critical, High, Medium, Low, and Unknown

• SAST result detailed view: click any result in the list, to see a window that provides full details of the SAST result and the check which detected it. In the detailed view, you will get a link to the resource where the security issue was found; on clicking this, you can navigate to the resource directly to fix the security issue.

Other controls - SAST results

• Filter: the results by:
  • Severity of the security issues: critical, high, medium, low, or unknown at the top of the page
  • File Path: (in the code repository): Enter the file path to filter the security issues detected in it
  • CWE ID
  • Category: of the SAST check
• Group: the SAST results by the File in which the security issues are detected or Check which detects security issues in different resources
• Search: any file name to see the security issues detected in it
• Export: click this button to export all the pipeline misconfigurations in a CSV file

Suppress the SAST result

In the SAST check detailed view, you can suppress that particular SAST result, which will temporarily dismiss the corresponding findings, starting from the moment the suppression is applied. However, it is important to note that existing findings of the same SAST result cannot be suppressed. For more information, refer to the Suppress security issue section below.

IaC tab

Aqua defines different built-in policies for the following configuration types to detect the IaC misconfigurations:

• CloudFormation
• Containerfile
• Dockerfile
• Helm Chart
• Kubernetes
• RBAC
• Terraform

For more information, refer to Aqua's defsec GitHub repository.

This tab shows the following information:

• List of all misconfigurations detected in the code repository
• Basic information of all misconfigurations such as the check which detected the instance, the file path and resource in which it is detected, and its severity
• Misconfiguration detail view: click any misconfiguration in the list, to see a window that provides full details about the misconfiguration

The list can be filtered by one of the misconfiguration severity levels: critical, high, medium, low, or unknown at the top of the page. The following screenshot shows the list filtered with all misconfigurations with high severity:

Other controls - IaC misconfigurations

• Search: with any Aqua's check ID or name to see the details of its presence in the code repositories
• Filter: IaC misconfigurations by:
  • Severity of the security issues: critical, high, medium, low, or unknown at the top of the page
  • Resource (in the code repository): Enter the resource name to filter the IaC misconfigurations detected in it
  • File Path (in the code repository): Enter the file path to filter the IaC misconfigurations detected in it; one or multiple resources are stored in a file path in the code repository
• Export: click this button to export all the IaC misconfigurations in a CSV file

• Group by: This option groups the IaC misconfigurations by Aqua's check which detected them, file and Resource in which they are detected.

Suppress the IaC misconfiguration

In the IaC misconfiguration detailed view, you can suppress that particular misconfiguration, which will temporarily dismiss the corresponding findings, starting from the moment the suppression is applied. However, it is important to note that existing findings of the same misconfiguration cannot be suppressed. For more information, refer to the Suppress security issue section below.

Pipelines tab

This tab shows all the misconfigurations detected in the pipelines which are connected to the current code repository. You can click any misconfiguration to see its detailed view. For more information on the list and detailed view of the pipeline misconfigurations, refer to Build Pipelines.

 Other controls - Pipeline misconfigurations

• Search: with any Aqua's check ID or name to see the details of its presence in the pipelines
• Filter: Pipeline misconfigurations by
  • File Path: to filter the misconfigurations detected in it
  • Severity of the security issues: critical, high, medium, low, or unknown at the top of the page
• Export: click this button to export all the pipeline misconfigurations in a CSV file
• Group by: This option groups the IaC misconfigurations by Aqua's check which detected them

Suppress the pipeline misconfiguration

In the pipeline misconfiguration detailed view, you can suppress that particular misconfiguration, which will temporarily dismiss the corresponding findings, starting from the moment the suppression is applied. However, it is important to note that existing findings of the same misconfiguration cannot be suppressed. For more information, refer to the Suppress security issue section below.

Builds tab

This tab shows the list of all builds using the specific repository and also includes all the security findings detected in each build process. You can search the builds with the branch name. There can be security issues in the builds for the reason when a pull request has vulnerabilities which were not detected earlier, and they can be detected while scanning builds.

Dependencies tab

This tab shows the details of dependencies used in building the application code in the specific code repository and vulnerabilities detected in each dependency. This helps you to identify the vulnerable dependencies and replace them with alternative non-vulnerable dependencies or use other versions of dependencies.

This tab shows the following details of each dependency:

• Name
• File: dependency file name
• Type: Registry from which the dependency is used
• Vulnerabilities: Count of vulnerabilities categorized by their severities

Other controls - Dependencies

The following controls appear at the right middle of the page:

• Search: any dependency that you have used, to see the vulnerabilities detected in it
• Export SBOM: click this button to export all the Software Bill of Materials (SBOM) in a json file

This tab shows the dependencies used in the current application code exists in the repository where as the dependencies shown in the Release Artifacts page represent the dependencies used in the specific release artifact version in production.

Artifacts tab

This tab shows all the release artifacts created from the specific code repository after building your application code. You can see the details of all the release artifacts. In this tab, you can also integrate with any pipeline from the already selected combination of source code management tool and CI/CD build system. This will add more release artifacts once the integrated pipeline is built. For more information on the details of release artifacts and integration to any pipeline in the build system to add more release artifacts, refer to Release Artifacts.

Tool Chain tab

This tab shows the following information:

• Security issues as failed checks (Aqua's predefined checks) detected in the source code repository which is associated with different stages in the supply chain such as source code, build, dependency, artifact
• Severity of the security issues

For more information on Tool Chain, refer to Tool Chain.

You can also filter the security issues by one of the following stages in which these issues are detected:

• Source Code
• Build
• Dependency
• Artifact

In each security issue, you can click the Remediate button to see the instructions to remediate the security issue for each source code management tool. 

Security issue detailed view

If you click any security issue in the list view, you will see a window that provides details about the security issue. In the detailed view, you will get a link to the resource or code snippet where the security issue was found; on clicking this, you can navigate to the code snippet directly to fix the security issue.

In the IaC misconfiguration detailed view, you can suppress the specific misconfiguration. For more information, refer to the Suppress security issue section below.

IaC misconfiguration detailed view is shown below. You can see a similar view for other security issue detailed view.

Suppress a security issue

In the detailed view of any security issue, you can suppress that particular security concern, which will temporarily dismiss the corresponding findings, starting from the moment the suppression is applied. However, it is important to note that existing findings of the same security issue cannot be suppressed. You can suppress the following types of security issues from the respective detailed view:

• Vulnerability
• Sensitive data instance
• SAST result
• IaC misconfiguration
• Pipeline misconfiguration

To suppress the security issue:

1. In the security issue detailed view, click Suppress. Suppress Check dialog appears which shows the check which detected the security issue in your repository.
2. In the Suppress Check dialog, enable Apply only for this finding instance to apply the rule to the issue detected in the specific code repository, file, and line number. If you do not enable this, suppression will be applied to all instances of the security issue detected in the code repository.
3. Enter a name for the rule. Upper and lowercase letters, digits, dashes, and underscores are allowed.
4. Enter a reason for the rule.
5. (Optional) Select the "Disable rule" checkbox and define the number of days after which the suppression rule should be disabled automatically. If you do not select this checkbox, the suppression rule will be disabled in one day automatically.
6. Click Suppress. The specific check is suppressed starting from now until the rule is disabled according to the above configuration. This suppression guarantees the successful building of the code despite the presence of security issue.

The following screenshot shows the suppress check dialog for the vulnerability. A similar dialog will be displayed when you want to suppress other types of security issues.