TABLE OF CONTENTS

Overview

The Release Artifacts page displays all the release artifacts. These artifacts were created after building your application code from the code repository associated with the CI/CD build system. This page displays:

  • Full details of the release artifacts 
  • All dependencies used when building the application code
  • Vulnerabilities detected in each dependency. This information on vulnerabilities in dependencies will help you fix your application code and prevent pushing your code with security issues to the production environments.


From the Release Artifacts page, you can integrate with any CI/CD pipeline to see the release artifacts that will be created after building your application code in the specific build system. Release Artifacts that were created from the respective code repository are displayed in the Code Repositories page > specific code repository > Release Artifacts tab.


This article explains the Release Artifacts page which shows details of all the release artifacts created in the CI/CD pipeline.


In the Supply Chain Security module, from the left menu, when you select Release Artifacts, you will see the Release Artifacts page as shown below.



Supported programming languages and package managers for scanning

Aqua scans the following programming languages and package managers in the release artifacts, to detect risks:


Programming languagePackage managers
C/C++
  • conan.lock
Go
  • Binaries built by Go
  • go.mod
Java
  • gradle.lockfile
  • JAR/WAR/PAR/EAR
  • pom.xml
.NET
  • .deps.json
  • Nuget non-lock file (*proj)
  • packages.lock.json
  • packages.config
Node.js
  • package.json
  • package-lock.json
  • pnpm-lock.yaml
  • yarn.lock
PHP
  • composer.lock
Python
  • egg package
  • Pipfile.lock
  • poetry.lock
  • requirements.txt
  • wheel package
Ruby
  • Gemfile.lock
  • gemspec
Rust
  • Binaries built with cargo-auditable
  • Cargo.lock


Integrate Build Pipeline to discover Release Artifacts

This section explains the process of integrating your Source Code Management tool with CI/CD build system which will display the release artifacts created after building your application code. This integration process will add release artifacts which are mapped to the build system. 

To integrate source code management and CI/CD build system to discover artifacts:

  1. Click Integrate on the top right side of the page. A dialog for integration appears.
  2. From the SCM type dropdown, select your Source Code Management tool.


After selecting a source code management tool, the supported build systems for the selected source code management tool will be updated in the dropdown. The following table shows the support of build systems for each source code management tool.


Source code management toolSupported build system
Azure
  • Azure Pipelines
Azure Server
  • Azure Pipelines
Bitbucket
  • Bitbucket Pipelines
  • Jenkins
Bitbucket Server
  • Jenkins
GitHub
  • GitHub Workflows
  • Jenkins
GitHub Server
  • GitHub Workflows
  • Jenkins
GitLab
  • GitLab CI/CD
  • Jenkins
GitLab Server
  • GitLab CI/CD
  • Jenkins


       3. From the Build System type dropdown, select your build system in which you want to discover release artifacts.

       4. Add the following variables as secret values to your build pipeline configuration:

  • AQUA_KEY
  • AQUA_SECRET

Note: You can get Aqua Key and Aqua Secret from the CSPM module > Settings > API Keys page. These secrets are required to authenticate an Aqua environment to which your build system will be integrated, and release artifacts will be reported. For more information on how to perform this, refer to the product documentation for your build system.


       5. Depending on the Source Code Management tool and build system combination selected, perform one of the steps mentioned in the Additional steps required for integration below. If your combination is not listed in the section, no other action is required for this step.


Depending on the selection of Source Code Management tool and build system combination, specific code snippet is generated on the UI.


       6. Copy the code snippet generated on the UI and add the required details to the code snippet such as Docker image and artifact path. For example, Docker image: my_build_image:prod-123 and Artifact path: ./package.json", "./app.

       7. Use the edited code snippet to add a step into your pipeline configuration after the build step.


If you select build system as "Jenkins", two types of code snippets are generated named Scripted and Declarative. Use one of the code snippets as required for your configuration.


      8. If you select Source Code Management tool as either Bitbucket or Bitbucket Server, install the "Pull Request Commit Links" app. The installation is triggered automatically in the Bitbucket UI, Pull Requests page > Commits tab.


For each combination of Source Code Management tool and build system, the UI shows instructions for integration. The following screenshot shows release artifact integration dialog with the Source Code Management tool and build system combination selected as "Bitbucket" and "Jenkins".



Additional steps required for integration


If you select the Source Code Management tool and build system combination as "Bitbucket" and "Bitbucket Pipelines", perform the following steps:

  1. In your Bitbucket Source Code Management tool configuration, create an app password. For more information, refer to the Bitbucket documentation, Create an App password.
  2. Add Bitbucket username and password as workspace variables "USER_NAME" and "PASSWORD" in your Bitbucket pipeline configuration. For more information, refer to the Bitbucket Pipeline document, Variables and secrets.


If you select the Source Code Management tool and build system combination as "Bitbucket" and "Jenkins", perform the following step:

  1. In your Jenkins Pipeline configuration > Manage Jenkins > Manage Credentials > Global credentials, select credential type as "Username with password" and add Bitbucket Username and Password. For more information, refer to the Jenkins documentation, Using credentials.


If you select the Source Code Management tool and build system combination as either "GitLab and GitLab CI/CD" or "GitLab Server and GitLab CI/CD", perform the following steps:

  1. In your GitLab Source Code Management tool configuration, create a personal access token. For more information, refer to the GitLab documentation, Personal access tokens.
  2. Add GitLab personal access token as CI/CD variable "GITLAB_TOKEN" in your GitLab CI/CD pipeline configuration. For more information, refer to GitLab CI/CD document, GitLab CI/CD variables.


If you select the Source Code Management tool and build system combination as "Bitbucket Server and Jenkins", perform the following steps:

  1. In your Bitbucket Server Source Code Management tool configuration, create an access token. For more information, refer to the Bitbucket Server documentation, HTTP access tokens.
  2. In your Jenkins Pipeline configuration > Manage Jenkins > Manage Credentials > Global credentials, select credential type as "Secret text".
  3. In the ID field, add "BITBUCKET_TOKEN" and in the Secret field, add Bitbucket access token that you have created in Step 1. For more information, refer to the Jenkins documentation, Using credentials


Release Artifact details

In the Release Artifacts page, when you click any release artifact, its detailed view appears. Each release artifact has sections: Code, Build, Artifact which are explained in the following sections.


Code

This section has details of the code from the repository which is used for building your application. If any vulnerabilities are detected in the release artifact dependencies, you can navigate to the Source Code Management tool from this section to fix the code. 

This section shows the following details to know more about your code.

  • Version: Select a specific code version, details of which you want to see
  • Created Date
  • System: Source Code Management tool in which your code repositories are stored
  • Pusher: build system user who has pushed code changes to the repository
  • Repository: Repository where the code is stored
  • Branch is Protected: Status of the branch protection (True/False)
  • Submitted as PR: to check whether the code changes are pushed through a Pull Request (PR) (True/False)
  • Multi-Factor Auth: Result of the configuration defined in the Source Code Management tool
  • Two Min Reviewers: Result of the configuration defined in the Source Code Management tool
  • Commits: details of last commit such as user who committed the code changes, message entered while performing commit, and last commit date and time. You can also click Open commit to navigate to the commit page in the Source Code Management tool to know more about the commit.
  • Export SBOM: Click this to export all the SBOM in a Json file to your machine. This will help in analysis of the code.



Build

This section shows details of the build in the CI/CD build system. When configured in your build system, Aqua scans the build and performs a few security checks. 


This section shows the following details on the build:

  • System: CI/CD build system in which your application code is built
  • Operation System
  • Run number
  • Link: to navigate to the specific pipeline in your CI/CD build system to see full details on the build
  • Security Checks: This section shows different types of security checks performed on your build. These security check types are Sensitive Data, Misconfigurations, Vulnerabilities, and SAST (Static Application Security Testing). These security checks are performed by the application configured in your build system, such as Aqua Trivy. For each type of security check, Aqua displays the application used to perform the check.


Current Limitation: Security checks are not displayed for the release artifacts created using the code repositories associated with Jenkins or Bitbucket Pipelines.



Artifact

This section shows details of the specific release artifact created after building your application code in the CI/CD build system. It also displays all the dependencies used to create the release artifact and vulnerabilities detected in each dependency. This helps you get back to the code and fix vulnerabilities in the dependencies.


This section shows the following details on a specific release artifact:

  • Type: Release artifact type
  • Name
  • Operating System
  • Default User
  • Created Date
  • Dependencies: It shows the list of all dependencies used in building the application code which in turn created this release artifact. You can also search any dependency that you have used, to see the vulnerabilities detected in it. Each dependency shows the following details:
    • Name
    • License details of the dependency
    • Type: Artifactory from which the dependency is used
    • Vulnerabilities: Count of vulnerabilities categorized by their severities



Other controls

The following controls appear at the right middle of the page:

  • Search: release artifacts by their full or partial name
  • Filter: release artifacts by their dependency names, license types, dependency types (such as Docker, Maven, Npm), and Security checks performed on the Build (vulnerabilities, sensitive data, misconfigurations, SAST).