TABLE OF CONTENTS

• Overview
• Review security findings in the repositories
• Repository scan detailed view
  • Overview tab
  • Vulnerabilities tab
  • Misconfigurations tab
  • Pipelines tab
  • Sensitive Data tab
  • SAST tab
  • Builds tab
  • Artifacts tab
  • Dependencies tab
  • Tool Chain tab

Overview

This topic explains the security issues found in a code repository during its scanning and all the information about the repository and its scan results in the repository detail view.

Review security findings in the repositories

 In the Code Repositories page, the Security Findings column of the repositories may show the following issues:

• All vulnerabilities with different severities, represented with distinct color codes. Color coding of each vulnerability severity is displayed at the top of the page.
• All instances of sensitive data with different severities, represented with distinct color codes. Color coding of each sensitive data severity is same as that of vulnerability severity. 
• All misconfigurations with different severities, represented with distinct color codes. Color coding of each misconfiguration severity is same as that of vulnerability severity.

Security findings detected in different repositories are explained in the following example:

• No instances of sensitive data and vulnerabilities were detected by Aqua in the repository terraform-provider-aws.
• The repository insecure-app-demo was found to contain 27 vulnerabilities and 9 instances of sensitive data of different severities.
• The repository insecure-app-example was found to contain 5 instances of misconfigurations of different severities.
• All the repositories are compliant to Aqua.

Repository scan detailed view

You should click the repository name to see a detailed view and its scan results. Repository scan detailed view consists of the following tabs and are explained in the different sections below:

• Overview
• Vulnerabilities
• Misconfigurations
• Pipelines
• Sensitive Data
• SAST  
• Builds
• Artifacts
• Dependencies
• Tool Chain

Overview tab

This tab shows the following information:

• Repository compliance status
• Full details of the repository
• Details widgets showing the number and severities of vulnerabilities, misconfigurations, and instances of sensitive data in different pie charts

Vulnerabilities tab

This tab shows the following information:

• List of all vulnerabilities grouped by the file in which they are detected
• Basic information of all vulnerabilities such as its severity, package in which it is detected, and vendor fix availability
• Vulnerability detail view: click any row in the Vulnerabilities list to see a window that provides full details about the vulnerability as shown below.

The list can be filtered by one of the vulnerability severity levels: critical, high, medium, low, or unknown at the top of the page. The following screenshot shows the list filtered with vulnerabilities of medium severity:

You can filter the list of vulnerabilities using controls at the top of the page, as explained below:

• Sort by severity
• Group by: File in which they are detected
• Check Name: by check which detects vulnerabilities in the repository

Misconfigurations tab

Aqua defines different built-in policies for the following configuration types to detect misconfigurations:

• CloudFormation
• Containerfile
• Dockerfile
• Helm Chart
• Kubernetes
• RBAC
• Terraform

For more information, refer to Aqua's defsec GitHub repository.

This tab shows the following information:

• List of all misconfigurations grouped by the file in which they are detected
• Basic information of all misconfigurations such as the check which detected the instance, its severity and the resource in which it is detected
• Misconfiguration detail view: click resource or severity of any misconfiguration in the list, to see a window that provides full details about the misconfiguration and the check which detected it, as shown below
• Click check name of any misconfiguration in the list to get full details of the misconfiguration check from Aqua vulnerability database in a new tab

The list can be filtered by one of the misconfiguration severity levels: critical, high, medium, low, or unknown at the top of the page. The following screenshot shows the list filtered with all misconfigurations with high severity:

Suppress misconfiguration

From the misconfiguration detailed view, you can suppress all the misconfigurations detected by the specific check to acknowledge fixing them later.

To suppress the misconfiguration:

1. In the misconfiguration detailed view, click Suppress Misconfiguration. Suppress Check dialog appears which shows the check which detected the misconfiguration on your repository and branch.
2. Complete the configuration of suppression check. For more information, refer to Create Suppression Rules.
3. Click Suppress. The specific check is suppressed for now to ensure successful building of the code with misconfigurations.
   
   

Pipelines tab

This tab shows all the misconfigurations detected in the pipelines which are connected to the current code repository. You can click any misconfiguration to see its detailed view. For more information on the list and detailed view of misconfigurations detected in the pipelines, refer to Build Pipelines.

Sensitive Data tab

This tab shows the following information:

• List of all instances of sensitive data such as passwords or keys grouped by the file in which they are detected
• Basic information of all instances of sensitive data such as the check which detected the instance, its severity and the resource in which it is detected
• Sensitive data detail view: click any row in the list to see a window that provides full details about the sensitive data and the check which detected the instance, as shown below. You can click the sensitive data reference in the window to navigate directly to the code snippet in the code repository in which this instance of sensitive data is found.

The list can be filtered by one of the sensitive data severity levels: critical, high, medium, low, or unknown at the top of the page. The following screenshot shows the list filtered with all instances of sensitive data with high severity:

SAST tab

This tab shows the results of Static Application Security Testing (SAST) checks performed on your application code. These results help developers identify security issues in the initial stages of development and resolve the issues to prevent passing the security issues to the next phase of the SDLC (Software Development Lifecycle). 

Aqua performs SAST checks on the packages developed in the following programming languages:

• Bash (beta)
• C (beta)
• C#
• C++ (beta)
• Dockerfile (beta)
• Elixir (beta)
• Go
• HTML (beta)
• Java
• JavaScript
• JSON
• JSX
• Kotlin (beta)
• Lua (beta)
• OCaml (beta)
• PHP
• Python
• R (beta)
• Ruby
• Rust (beta)
• Scala
• Solidity (beta)
• Swift (beta)
• Terraform
• TSX
• TypeScript

The SAST results show the presence of security issues in your application code. Each security issue is assigned severity which will help you to prioritize fixing the issues. This tab shows the following information:

• List of all SAST results grouped by the package manager in which they are detected. 
• Shows the following basic information for each SAST result in the list:
  • SAST check name
  • Common Weakness Enumeration (CWE) number: explains the vulnerability detected in the application code.
  • Category: of the security issues such as Best Practice, Correctness, Maintainability, Performance, Portability, and Security.
    • Sub-category: After the category of the security issue, sub-category ("vulnerability" or "audit") is also displayed. Security issues of the "vulnerability" sub-category are useful to the developers for fixing them. Security issues of the "audit" sub-category are useful to the code auditors.
  • Technology: based on which specific SAST checks are defined. Technology of a SAST result can be a programming language, library or framework such as Django, docker, express.
  • Severity of the result: Critical, High, Medium, Low, and Unknown

• SAST result detailed view: click any result in the list, to see a window that provides full details of the SAST result and the check which detected it. In the detailed view, you will get a link to the resource where the security issue was found; on clicking this, you can navigate to the resource directly to fix the security issue.

Other controls - SAST results

• Filter: the results by:
  • Severity of the security issues: critical, high, medium, low, or unknown at the top of the page
  • Check name at the top right side of the page
• Group: the SAST results by the File in which the security issues are detected or Check which detects security issues in different files.
• Search: any file name to see the security issues detected in it

Builds tab

This tab shows the list of all builds using the specific repository and also includes all the security findings detected in each build process. You can filter the builds with the branch name. There can be security issues in the builds for the reason when a pull request has vulnerabilities which were not detected earlier, and they can be detected while scanning builds.

Artifacts tab

This tab shows all the release artifacts created from the specific code repository after building your application code. You can see the details of all the release artifacts. In this tab, you can also integrate with any pipeline from the already selected combination of source code management tool and CI/CD build system. This will add more release artifacts once the integrated pipeline is built. For more information on the details of release artifacts and integration to any pipeline in the build system to add more release artifacts, refer to Release Artifacts.

Dependencies tab

This tab shows the details of dependencies used in building the application code in the specific code repository and vulnerabilities detected in each dependency. This helps you to identify the vulnerable dependencies and replace them with alternative non-vulnerable dependencies or use other versions of dependencies.

This tab shows the following details of each dependency:

• Name
• File: dependency file name
• Type: Registry from which the dependency is used
• Vulnerabilities: Count of vulnerabilities categorized by their severities

Other controls - Dependencies

The following controls appear at the right middle of the page:

• Search: any dependency that you have used, to see the vulnerabilities detected in it
• Export SBOM: click this button to export all the Software Bill of Materials (SBOM) in a json file

This tab shows the dependencies used in the current application code exists in the repository where as the dependencies shown in the Release Artifacts page represent the dependencies used in the specific release artifact version in production.

Tool Chain tab

This tab shows the following information:

• Security issues as failed checks (Aqua's predefined checks) detected in the source code repository which is associated with different stages in the supply chain such as source code, build, dependency, artifact
• Severity of the security issues

For more information on Tool Chain, refer to Tool Chain.

You can also filter the security issues by one of the following stages in which these issues are detected:

• Source Code
• Build
• Dependency
• Artifact

In each security issue, you can click the Remediate button to see the instructions to remediate the security issue for each source code management tool.