TABLE OF CONTENTS


Overview

Software supply chain covers the entire Software Development Life Cycle (SDLC) process right from developing and storing code in the Source Code Management tools through building pipelines, to deployment of code in the customer production environments. Aqua can secure your application development at all stages in the SDLC process when you integrate the respective service provider systems such as source code management tools, build pipelines from the Integrations page. 


The set of tools used for different stages in the software supply chain is called Tool Chain. These tools should be integrated with Aqua to provide full security coverage for your application. 


Tool chain offers the following capabilities:

  • Audits tools in each stage of the software supply chain for security compliance 
  • Detects and analyzes security issues
  • Offers the ability to users to remediate security issues


Tool chain can detect security issues in the following stages of the software supply chain:

  • Source Code Management tools
  • Dependencies
  • Build
  • Artifacts
  • Deployment of your code


Aqua currently detects and displays security issues in source code and builds only. Support for detecting security issues in the dependencies and artifacts will be added in future.


The following image shows the security coverage of tool chain for the assessment of security issues:



This feature detects security issues in the tool chain by auditing Aqua's checks on all the assets in different tools. These security issues are categorized into the stages in the software supply chain as mentioned above. In each tool, it shows security issues as failed checks with their severity and the assets in which these security issues are detected. 


This article explains the Tool Chain page and guides you on how to analyze the security issues and remediate them. You can access this page from the left menu.


Auditing checks on tool chain detects security issues in different tools and displays the number of checks (security issues) performed in each stage of the software supply chain. The failed checks (security issues) performed in each stage are displayed as the following categories on the UI:

  • Source Code
  • Build
  • Dependency (will be supported soon)
  • Artifact (will be supported soon)
  • All: Aggregation of all security issues detected in the tools. Security issues specific to source code and build are labelled with "Source Code" and "Build" respectively to identify the source of the issues easily.


This page shows security issues detected in all the assets in different platforms categorized by failed checks. 



Prerequisites

  • To display the security issues in the Source Code stage of the supply chain, your code repositories should be integrated with Aqua through either the Source Code Management or CI Integrations option. For more information on these integrations, refer to Code Repository Integrations.
  • To display the security issues in the Build stage of the supply chain, your build platforms should be integrated with Aqua. For more information, refer to Integration with Build Platforms.

Filtering and sorting of security issues

By default, the Tool Chain page shows all the security issues detected in different platforms sorted by failed checks.


You can search or filter security issues by the following options:

  • Search by check name or ID
  • Platform: select a platform, next to the filter button to filter security issues detected in it  
  • More filters:
    • Severity: of the security issues detected
    • Asset type: in the platform, such as Repository, Group, Subgroup
    • Asset name


You can sort all security issues by using the Group By option at the top right side of the page as explained below:

  • Check: This is a default option. If you select this, all security issues are sorted by failed checks. 
  • None: If you select this, all security issues are displayed in a random list.


You can navigate to the Integrations page by clicking the Gear button at the top right side of the page.



Assessment and remediation of security issues

The Tool Chain page shows all the security issues detected in different platforms sorted by failed checks. 


Assessment

When you expand any failed check, you can see the following details for assessment:

  • Severity of the possible security issues detected
  • Details of the failed check such as check name, ID, what is assessed in the assets
  • List of assets in different platforms in which a check is failed due to the presence of security issues. It has an external link to navigate to the platform to see the assets and configurations for assessing the detected security issues.


Remediation

Along with showing assessment on security issues in the assets, Aqua offers a great capability in sharing instructions to remediate security issues in the platform.


To remediate security issues:

  1. Expand a failed check.
  2. Click the Remediate button on the right side of the page. A dialog appears which shows remediate instructions and platforms in which remediation to the configurations is required.
  3. Navigate to the respective platform and fix the configurations by following remediation instructions.