TABLE OF CONTENTS

• Overview
• Prerequisites
• Other controls
  • Search and Filter
  • Sort
  • Export
• Assessment and remediation of security issues
  • Assessment
  • Remediation

Overview

Software supply chain covers the entire Software Development Life Cycle (SDLC) process right from developing and storing code in the Source Code Management tools through building pipelines, to deployment of code in the customer production environments. Aqua can secure your application development at all stages in the SDLC process when you integrate the respective service provider systems such as Source Code Management tools, build pipelines from the Integrations page. 

The set of tools used for different stages in the software supply chain is called Tool Chain. These tools should be integrated with Aqua to provide full security coverage for your application. 

Aqua offers the following capabilities:

• Audits tools in each stage of the software supply chain for security compliance 
• Detects and analyzes security issues
• Offers the ability to users to remediate security issues

Aqua can detect security issues in the following stages of the software supply chain:

• Source Code Management tools
• Dependencies
• Build
• Artifact
• Deployment of your code

The following image shows the security coverage of tool chain for the assessment of security issues:

This feature detects security issues in the tool chain by auditing Aqua's checks on all the assets in different tools. These security issues are categorized into the stages in the software supply chain as mentioned above. In each tool, it shows security issues as failed checks with their severity and the assets in which these security issues are detected. 

This article explains the Tool Chain page and guides you on how to analyze security issues and remediate them. You can access this page from the left menu in the UI.

Auditing checks on tool chain detects security issues in different tools and displays the number of checks (security issues) performed in each stage of the software supply chain. The failed checks (security issues) performed in each stage are displayed as the following categories in the UI:

• Source Code
• Dependency
• Build
• Artifact
• All: Aggregation of all security issues detected in the tools. Security issues specific to the stage are labelled accordingly to identify the source of the issues easily.

This page shows security issues detected in all the assets in different platforms categorized by failed checks. 

Prerequisites

• To display the security issues in the Source Code and Dependency stage of the supply chain, your code repositories should be integrated with Aqua through either the Source Code Management or CI Integrations option. For more information on these integrations, refer to Code Repository Integrations.
• To display the security issues in the Build stage of the supply chain, your build platforms should be integrated with Aqua. For more information, refer to Integration with Build Platforms.
• To display the security issues in the Artifact stage of the supply chain, your artifact registries should be integrated with Aqua. For more information, refer to Integration with Cloud Artifact Registries.

Other controls

By default, the Tool Chain page shows all the security issues detected in different platforms sorted by failed checks.

Click the Gear button at the top right side of the page to navigate to the Integrations page.

Search and Filter

You can search or filter security issues by the following options:

• Search by check name or ID
• Platform: select a platform, next to the filter button to filter security issues detected in it  
• More filters:
  • Severity: of the security issues detected: Critical, High, Medium, Low, Unknown
  • Asset type: in the platform: Artifact, Controller, Group, Organization, Repository, Server, Subgroup
  • Asset name

Sort

You can sort all security issues by using the Group By option at the top right side of the page as explained below:

• Check: This is a default option. If you select this, all security issues are sorted by failed checks. 
• None: If you select this, all security issues are displayed in a random list.

Export

Click the Export button at the top right side of the page to download all the security issues in a CSV file.

Assessment and remediation of security issues

Assessment

When you expand any failed check, you can see the following details for assessment:

• Severity of the possible security issues detected
• Details of the failed check such as check name, ID, what is assessed in the assets
• List of assets in different platforms in which a check is failed. It has an external link to navigate to the platform to see the assets and configurations for assessing the detected security issues.

Remediation

Along with showing assessment on security issues in the assets, Aqua offers a great capability in sharing instructions to remediate security issues in the platform.

To remediate security issues:

1. Expand a failed check.
2. At the right side of the page, click the Remediate button. A dialog appears which shows remediate instructions and platforms in which remediation to the configurations is required.
3. Navigate to the respective platform and fix the configurations by following remediation instructions.