TABLE OF CONTENTS

Overview

This topic explains the security issues found in a code repository during its scanning and all the information about the repository and its scan results in the repository detail view.


Review security findings in the repositories

 In the Code Repositories page, the Security Findings column of the repositories may show the following issues:

  • All vulnerabilities with different severities, represented with distinct color codes. Color coding of each vulnerability severity is displayed at the top of the page.
  • All instances of sensitive data with different severities, represented with distinct color codes. Color coding of each sensitive data severity is same as that of vulnerability severity. 
  • All misconfigurations with different severities, represented with distinct color codes. Color coding of each misconfiguration severity is same as that of vulnerability severity.


Security findings detected in different repositories are explained in the following example:



  • No instances of sensitive data and vulnerabilities were detected by Aqua in the repository terraform-provider-aws.
  • The repository insecure-app-demo was found to contain 27 vulnerabilities and 9 instances of sensitive data of different severities.
  • The repository insecure-app-example was found to contain 5 instances of misconfigurations of different severities.
  • All the repositories are compliant to Aqua.


Repository scan detailed view

You should click the repository name to see a detailed view and its scan results. Repository scan detailed view consists of the following tabs and are explained in the different sections below:

  • Overview
  • Vulnerabilities
  • Misconfigurations
  • Pipelines
  • Sensitive Data
  • Builds
  • Artifacts
  • Dependencies
  • Tool Chain
  • SAST (coming soon)

Overview

This tab shows the following information:

  • Repository compliance status
  • Full details of the repository
  • Details widgets showing the number and severities of vulnerabilities, misconfigurations, and instances of sensitive data in different pie charts



Vulnerabilities

This tab shows the following information:

  • List of all vulnerabilities grouped by the file in which they are detected
  • Basic information of all vulnerabilities such as its severity, package in which it is detected, and vendor fix availability
  • Vulnerability detail view: click any row in the Vulnerabilities list to see a window that provides full details about the vulnerability as shown below.

The list can be filtered by one of the vulnerability severity levels: critical, high, medium, low, or unknown at the top of the page. The following screenshot shows the list filtered with vulnerabilities of medium severity:



You can filter the list of vulnerabilities using controls at the top of the page, as explained below:

  • Sort by severity
  • Group by: File in which they are detected
  • Check Name: by check which detects vulnerabilities in the repository



Misconfigurations

This tab shows the following information:

  • List of all misconfigurations grouped by the file in which they are detected
  • Basic information of all misconfigurations such as the check which detected the instance, its severity and the resource in which it is detected
  • Misconfiguration detail view: click resource or severity of any misconfiguration in the list, to see a window that provides full details about the misconfiguration and the check which detected it, as shown below
  • Click check name of any misconfiguration in the list to get full details of the misconfiguration check from Aqua vulnerability database in a new tab

The list can be filtered by one of the misconfiguration severity levels: critical, high, medium, low, or unknown at the top of the page. The following screenshot shows the list filtered with all misconfigurations with high severity:



Suppress misconfiguration

From the misconfiguration detailed view, you can suppress all the misconfigurations detected by the specific check to acknowledge fixing them later.


To suppress the misconfiguration:

  1. In the misconfiguration detailed view, click Suppress Misconfiguration. Suppress Check dialog appears which shows the check which detected the misconfiguration on your repository and branch.
  2. Complete the configuration of suppression check. For more information, refer to Create Suppression Rules.
  3. Click Suppress. The specific check is suppressed for now to ensure successful building of the code with misconfigurations.


Pipelines

This tab shows all the misconfigurations detected in the pipelines which are connected to the current code repository. You can click any misconfiguration to see its detailed view. For more information on the list and detailed view of misconfigurations detected in the pipelines, refer to Build Pipelines.



Sensitive data

This tab shows the following information:

  • List of all instances of sensitive data such as passwords or keys grouped by the file in which they are detected
  • Basic information of all instances of sensitive data such as the check which detected the instance, its severity and the resource in which it is detected
  • Sensitive data detail view: click any row in the list to see a window that provides full details about the sensitive data and the check which detected the instance, as shown below. You can click the sensitive data reference in the window to navigate directly to the code snippet in the code repository in which this instance of sensitive data is found.

The list can be filtered by one of the sensitive data severity levels: critical, high, medium, low, or unknown at the top of the page. The following screenshot shows the list filtered with all instances of sensitive data with high severity:



Builds

This tab shows the list of all builds using the specific repository and also includes all the security findings detected in each build process. You can filter the builds with the branch name. There can be security issues in the builds for the reason when a pull request has vulnerabilities which were not detected earlier, and they can be detected while scanning builds.



Artifacts

This tab shows all the release artifacts created from the specific code repository after building your application code. You can see the details of all the release artifacts. In this tab, you can also integrate with any pipeline from the already selected combination of source code management tool and CI/CD build system. This will add more release artifacts once the integrated pipeline is built. For more information on the details of release artifacts and integration to any pipeline in the build system to add more release artifacts, refer to Release Artifacts.



Dependencies

This tab shows the details of dependencies used in building the application code in the specific code repository and vulnerabilities detected in each dependency. This helps you to identify the vulnerable dependencies and replace them with alternative non-vulnerable dependencies or use other versions of dependencies.


This tab shows the following details of each dependency:

  • Name
  • File: dependency file name
  • Type: Registry from which the dependency is used
  • Vulnerabilities: Count of vulnerabilities categorized by their severities


Other controls

The following controls appear at the right middle of the page:

  • Search: any dependency that you have used, to see the vulnerabilities detected in it
  • Export SBOM: click this button to export all the Software Bill of Materials (SBOM) in a json file



This tab shows the dependencies used in the current application code exists in the repository where as the dependencies shown in the Release Artifacts page represent the dependencies used in the specific release artifact version in production.


Tool Chain

This tab shows the following information:

  • Security issues as failed checks (Aqua's predefined checks) detected in the source code repository which is associated with different stages in the supply chain such as source code, build, dependency, artifact
  • Severity of the security issues

For more information on Tool Chain, refer to Risk Assessment.



You can also filter the security issues by one of the following stages in which these issues are detected:

  • Source Code
  • Build
  • Dependency
  • Artifact

In each security issue, you can click the Remediate button to see the instructions to remediate the security issue for each source code management tool. 



SAST (coming soon)


Aqua's Supply Chain Security will expand further by introducing Static Application Security Testing (SAST) on your application code by end of 2022. Trivy Premium will gain the ability to perform static code analysis and detect issues in your application's code. After introducing this feature, Aqua platform users will see SAST results automatically.