TABLE OF CONTENTS

Overview

The Release Artifacts page displays all the release artifacts that were created after building your application code from all your code repositories in the CI/CD build systems. This page displays full details of the release artifacts and all the dependencies used while developing the application code, and most importantly the vulnerabilities detected in each release artifact dependency. This information on vulnerabilities in dependencies will help you fix your application code and prevent pushing your code with security issues to the production environments.


You can integrate with any pipeline in the CI/CD build system from the Release Artifacts page to see the release artifacts that will be created after building your application code in the specific build system. Release Artifacts that were created from the specific code repository are displayed in the Code Repositories page > specific code repository > Release Artifacts tab.


This article explains the Release Artifacts page which shows details of all the release artifacts created in the CI/CD build systems.


In the Supply Chain Security module, from the left menu, when you select Release Artifacts, you will see the Release Artifacts page as shown below.



Integrate Build Pipeline to discover Release Artifacts

This section explains the process of integrating with your SCM tool and CI/CD build system which will display the release artifacts created after building your application code. This integration process will add release artifacts which are mapped to the build system. 

To integrate with SCM and CI/CD build system to discover artifacts:

  1. Click Integrate on the top right side of the page. A dialog for integration appears.
  2. From the SCM type dropdown, select your SCM tool.


After you select an SCM tool, support of build systems by Aqua changes. The following table shows the support of build systems for each SCM tool.


SCM toolSupported build system
Azure
  • Azure Pipelines
Bitbucket
  • Bitbucket Pipelines
  • Jenkins
Bitbucket Server
  • Jenkins
GitHub
  • GitHub Workflows
  • Jenkins
GitLab
  • GitLab CI/CD
  • Jenkins


       3. From the Build System type dropdown, select your build system in which you want to discover release artifacts.

       4. Add the following variables to the configuration of your build pipeline configuration:

  • AQUA_KEY
  • AQUA_SECRET
  • BILLY_URL

Notes: 

  • You can get Aqua Key and Aqua Secret from the CSPM module > Settings > API Keys page. These secrets are required to authenticate an Aqua environment to which your build system will be integrated, and release artifacts will be reported. For more information on how to perform this, refer to the product documentation of your build system.

  • Copy the billy URL: https://prod-aqua-billy.codesec.aquasec.com as displayed on the UI and paste in the configuration of your build system. Billy is Aqua's service used for scanning release artifacts and creating the Software Bill of Materials (SBOM).


       5. Depending on the SCM tool and build system combination selected, perform one of the steps mentioned in the Additional steps required for integration below. If your combination is not listed in the section, no other action is required for this step.


Depending on the selection of SCM tool and build system combination, specific code snippet is generated on the UI.


       6. Copy the code snippet generated on the UI, make any changes if required, and use it to add a step into your build pipeline configuration after the build step.


If you select build system as "Jenkins", two types of code snippets are generated named Scripted and Declarative. Use one of the code snippets as required for your configuration.


      7. If you select SCM tool as either Bitbucket or Bitbucket Server, install the "Pull Request Commit Links" app. The installation is triggered automatically in the Bitbucket UI, Pull Requests page > Commits tab.


For each combination of SCM tool and build system, the UI shows instructions for integration. The following screenshot shows release artifact integration dialog with SCM tool and build system combination selected as "Bitbucket and Jenkins".



Additional steps required for integration


If you select SCM tool and build system combination as "Bitbucket and Bitbucket Pipelines", perform the following steps:

  1. In your Bitbucket SCM tool configuration, create an app password. For more information, refer to the Bitbucket documentation, Create an App password.
  2. Add Bitbucket username and password as workspace variables "USER_NAME" and "PASSWORD" in your Bitbucket pipeline configuration. For more information, refer to the Bitbucket Pipeline document, Variables and secrets.


If you select SCM tool and build system combination as "Bitbucket and Jenkins", perform the following step:

  1. In your Jenkins Pipeline configuration > Manage Jenkins > Manage Credentials > Global credentials, select credential type as "Username with password" and add Bitbucket Username and Password. For more information, refer to the Jenkins documentation, Using credentials.


If you select SCM tool and build system combination as "GitLab and GitLab CI/CD", perform the following steps:

  1. In your GitLab SCM tool configuration, create a personal access token. For more information, refer to the GitLab documentation, Personal access tokens.
  2. Add GitLab personal access token as CI/CD variable "GITLAB_TOKEN" in your GitLab CI/CD pipeline configuration. For more information, refer to GitLab CI/CD document, GitLab CI/CD variables.


If you select SCM tool and build system combination as "Bitbucket Server and Jenkins", perform the following steps:

  1. In your Bitbucket Server SCM tool configuration, create an access token. For more information, refer to the Bitbucket Server documentation, HTTP access tokens.
  2. In your Jenkins Pipeline configuration > Manage Jenkins > Manage Credentials > Global credentials, select credential type as "Secret text".
  3. In the ID field, add "BITBUCKET_TOKEN" and in the Secret field, add Bitbucket access token that you have created in Step 1. For more information, refer to the Jenkins documentation, Using credentials


Release Artifact details

In the Release Artifacts page, when you click any release artifact, its detailed view appears. Each release artifact has sections: Code, Build, Artifact which are explained in the following sections.


Code

This section has details of the code from the repository which is used for building your application. If any vulnerabilities are detected in the release artifact dependencies, you can navigate to the SCM tool from this section to fix the code. 

This section shows the following details to know more about your code.

  • Version: Select a specific code version, details of which you want to see
  • Created Date
  • System: Source Code Management (SCM) tool in which your code repositories are stored
  • Pusher: build system user who has pushed code changes to the repository
  • Repository: Repository where the code is stored
  • Banch is Protected: Status of the branch protection (True/False)
  • Submitted as PR: to check whether the code changes are pushed through a Pull Request (PR) (True/False)
  • Multi-Factor Auth: Result of the configuration defined in the SCM tool
  • Two Min Reviewers: Result of the configuration defined in the SCM tool
  • Commits: details of last commit such as user who committed the code changes, message entered while performing commit, and last commit date and time. You can also click Open commit to navigate to the commit page in the SCM tool to know more about the commit.
  • Export SBOM: Click this to export all the SBOM in a Json file to your machine. This will help in analysis of the code.



Build

This section shows details of the build in the CI/CD build system. When configured in your build system, Aqua scans the build and performs a few security checks. 


This section shows the following details on the build:

  • System: CI/CD build system in which your application code is built
  • Operation System
  • Run number
  • Link: to navigate to the specific pipeline in your CI/CD build system to see full details on the build
  • Security Checks: This section shows different types of security checks performed on your build. These security check types are Sensitive Data, Misconfigurations, Vulnerabilities, and SAST (Static Application Security Testing). These security checks are performed based on the configuration in your build system to use specific applications such as Aqua Trivy. For each type of security check, Aqua displays the application used to perform the check.



Artifact

This section shows details of the specific release artifact created after building your application code in the CI/CD build system. It also displays all the dependencies used to create the release artifact and vulnerabilities detected in each dependency. This helps you get back to the code and fix vulnerabilities in the dependencies.


This section shows the following details on a specific release artifact:

  • Type: Release artifact type
  • Name
  • Version
  • Created Date
  • Dependencies: It shows the list of all dependencies used in building the application code which in turn created this release artifact. You can also search any dependency that you have used, to see the vulnerabilities detected in it. Each dependency shows the following details:
    • Name
    • License details of the dependency
    • Type: Artifactory from which the dependency is used
    • Vulnerabilities: Count of vulnerabilities categorized by their severities



Other controls

The following controls appear at the right middle of the page:

  • Search: release artifacts by their full or partial name
  • Filter: release artifacts by their dependency names, license types, dependency types (such as Docker, Maven, Npm), and Security checks performed on the Build (vulnerabilities, sensitive data, misconfigurations, SAST).