TABLE OF CONTENTS

Overview

This topic explains the security issues found in a code repository during its scanning and all the information about the repository and its scan results in the repository detail view.


Review security findings in the repositories

 In the Code Repositories page, the Security Findings column of the repositories may show the following issues:

  • All vulnerabilities with different severities, represented with distinct color codes. Color coding of each vulnerability severity is displayed at the top of the page.
  • All instances of sensitive data with different severities, represented with distinct color codes. Color coding of each sensitive data severity is same as that of vulnerability severity. 
  • All misconfigurations with different severities, represented with distinct color codes. Color coding of each misconfiguration severity is same as that of vulnerability severity.


Security findings detected in different repositories are explained in the following example:



  • No instances of sensitive data and vulnerabilities were detected by Aqua in the repository terraform-provider-aws.
  • The repository insecure-app-demo was found to contain 27 vulnerabilities and 9 instances of sensitive data of different severities.
  • The repository insecure-app-example was found to contain 5 instances of misconfigurations of different severities.
  • All the repositories are compliant to Aqua.


Repository scan detailed view

You should click the repository name to see a detailed view and its scan results. Repository scan detailed view consists of the following tabs and are explained in the different sections below:

  • Overview
  • Vulnerabilities
  • Misconfigurations
  • Sensitive Data
  • Builds


Overview

This tab shows the following information:

  • Repository compliance status
  • Full details of the repository
  • Details widgets showing the number and severities of vulnerabilities, misconfigurations, and instances of sensitive data in different pie charts



Vulnerabilities

This tab shows the following information:

  • List of all vulnerabilities grouped by the file in which they are detected
  • Basic information of all vulnerabilities such as its severity, package in which it is detected, and vendor fix availability
  • Vulnerability detail view: click any row in the Vulnerabilities list to see a window that provides full details about the vulnerability as shown below.

The list can be filtered by one of the vulnerability severity levels: critical, high, medium, low, or unknown at the top of the page. The following screenshot shows the list filtered with vulnerabilities of critical severity:



You can filter the list of vulnerabilities using controls at the top of the page, as explained below:

  • Sort by severity
  • Group by: File in which they are detected
  • Check Name: by check which detects vulnerabilities in the repository



Misconfigurations

This tab shows the following information:

  • List of all misconfigurations grouped by the file in which they are detected
  • Basic information of all misconfigurations such as the check which detected the instance, its severity and the resource in which it is detected
  • Misconfiguration detail view: click resource or severity of any misconfiguration in the list, to see a window that provides full details about the misconfiguration and the check which detected it, as shown below
  • Click check name of any misconfiguration in the list to get full details of the misconfiguration check from Aqua vulnerability database in a new tab

The list can be filtered by one of the misconfiguration severity levels: critical, high, medium, low, or unknown at the top of the page. The following screenshot shows the list filtered with all misconfigurations with high severity:



Suppress misconfiguration

From the misconfiguration detailed view, you can suppress all the misconfigurations detected by the specific check to acknowledge fixing them later.


To suppress the misconfiguration:

  1. In the misconfiguration detailed view, click Suppress Misconfiguration. Suppress Check dialog appears which shows the check which detected the misconfiguration on your repository and branch.
  2. Enter a reason to suppress the check.
  3. Select the delete rule checkbox and define the number of days after which the suppression rule should be deleted automatically.
  4. Click Suppress. The specific check is suppressed for now to ensure successful building of the code with misconfigurations. For more information, refer to Create Suppression Rules.


Sensitive data

This tab shows the following information:

  • List of all instances of sensitive data such as passwords or keys grouped by the file in which they are detected
  • Basic information of all instances of sensitive data such as the check which detected the instance, its severity and the resource in which it is detected
  • Sensitive data detail view: click any row in the list to see a window that provides full details about the sensitive data and the check which detected the instance, as shown below.

The list can be filtered by one of the sensitive data severity levels: critical, high, medium, low, or unknown at the top of the page. The following screenshot shows the list filtered with all instances of sensitive data with high severity:



Builds

This tab shows the list of all builds using the specific repository and also includes all the security findings detected in each build process. You can filter the builds with the branch name. There can be security issues in the builds for the reason when a pull request has vulnerabilities which were not detected earlier, and they can be detected while scanning builds.



Release Artifacts

This tab shows all the release artifacts created from the specific code repository after building your application code. You can see the details of all the release artifacts. In this tab, you can also integrate with any pipeline from the already selected combination of SCM tool and CI/CD build system. This will add more release artifacts once the integrated pipeline is built. For more information on the details of release artifacts and integration to any pipeline in the build system to add more release artifacts, refer to Release Artifacts.