TABLE OF CONTENTS

Overview

Software supply chain covers the entire Software Development Life Cycle (SDLC) process right from developing and storing code in the Source Code Management tools through building pipelines, to deployment of code in the customer production environments. Aqua can secure your application development at all stages in the SDLC process when you integrate the respective service provider systems such as Source Code Management tools, build pipelines from the Integrations page. 


The set of tools used for different stages in the software supply chain is called Tool Chain. These tools should be integrated with Aqua to provide full security coverage to your application. 


Tool chain is one of the assessments available on the Risk Assessment page. More assessment options will be added in future.


Tool chain offers the following capabilities:

  • Audits tools in each stage of the software supply chain for security compliance 
  • Detects and analyzes security issues
  • Offers the ability to users to remediate security issues


Tool chain can detect security issues in the following stages of the software supply chain:

  • Source Code Management tools
  • Dependencies
  • Build pipelines
  • Artifacts
  • Deployment of your code


Aqua currently detects and displays security issues in Source Code only. Support for the remaining stages will be added in future.


The following image shows the security coverage of tool chain for the assessment of security issues:



This feature detects security issues in the tool chain by auditing Aqua's predefined checks on all the assets in different tools. These security issues are categorized into the stages in the software supply chain as mentioned above. In each tool, it shows security issues as failed checks with their severity and the assets in which these security issues are detected. 


This article explains the Risk Assessment page and guides you on how to analyze the security issues and remediate them. You can access the Risk Assessment page from the left menu.


Tool Chain

Auditing checks on tool chain detects security issues in different tools and displays the number of checks (security issues) performed in each stage of the software supply chain.

  • Source Code
  • Build
  • Dependency
  • Artifact
  • All: Aggregation of all security issues detected in the tools


This page shows security issues detected in all the assets in different platforms categorized by failed checks. 



Filtering and sorting of security issues

By default, the Tool Chain page shows all the security issues detected in different platforms sorted by failed checks.


You can search or filter security issues by the following options:

  • Search by check name or ID
  • Platform: select a platform, next to the filter button to filter security issues detected in it  
  • More filters:
    • Severity: of the security issues detected
    • Asset type: in the platform, such as Repository, Group, Subgroup
    • Asset name


You can sort all security issues by using the Group By option at the top right side of the page as explained below:

  • Check: This is a default option. If you select this, all security issues are sorted by failed checks. 
  • None: If you select this, all security issues are displayed in a random list.


You can navigate to the Integrations page by clicking the Gear button at the top right side of the page.



Assessment and remediation of security issues

The Tool Chain page shows all the security issues detected in different platforms sorted by failed checks. 


Assessment

When you expand any failed check, you can see the following details for assessment:

  • Severity of the possible security issues detected
  • Details of the failed check such as check name, ID, what is assessed in the assets
  • List of assets in different platforms in which a check is failed due to the presence of security issues. It has an external link to navigate to the platform to see the assets and configurations for assessing the detected security issues.



Remediation

Along with showing assessment on security issues in the assets, Aqua offers a great capability in sharing instructions to remediate security issues in the platform.


To remediate security issues:

  1. Expand a failed check.
  2. Click the Remediate button on the right side of the page. A dialog appears which shows remediate instructions and platforms in which remediation to the configurations is required.
  3. Navigate to the respective platform and fix the configurations by following remediation instructions.