TABLE OF CONTENTS


Overview

The Build Pipelines page displays all the pipelines connected to the code repositories from different source code management tools that have been integrated with Aqua. This page also displays all the misconfigurations detected in these pipelines. These misconfigurations are detected as per predefined checks performed by Aqua on the pipeline configurations.


In the Supply Chain Security module, from the left menu, when you select Build Pipelines, you will see the Build Pipelines page as shown below.



The Code Repository detailed view > Pipelines tab shows security issues in a build pipeline connected to the specific code repository.


Current Limitation

Build Pipelines are discovered, and misconfigurations are detected only when your Aqua instance is connected to the following source code management tool and CI/CD Build system combinations.


Source code management toolCI/CD build system
Azure or Azure ServerAzure Pipelines
GitHub or GitHub ServerGitHub Actions
GitLab or GitLab ServerGitLab CI/CD


If any other combination is integrated with Aqua, the Build Pipelines page is shown as blank.


Build Pipelines page

All build pipelines are organized into four categories:

  • All Pipelines: shows all pipelines discovered in all the code repositories from different source code management tools
  • Misconfigured: shows all pipelines which have at least one misconfiguration
  • Trivy Not Implemented: pipelines in which Aqua's Trivy is not used as a scanning engine.  Aqua's Trivy Premium scanner (or simply "Trivy Premium") is Aqua's next generation scanning engine. It provides the best scanning results, and detects security issues (latest vulnerabilities, misconfigurations, etc.). We recommend you start using Trivy to get best security to your applications.
  • SBOM Not Implemented: pipelines in which Aqua has detected the standard practice of Software Bill of Materials (SBOM) not implemented


Other controls

The following controls appear at the top middle of the page:

  • Severity filter: to filter the pipelines by severity (critical, high, medium, low) of the misconfigurations or no issues detected
  • Sort by the following options
    • Severity: of the misconfigurations detected in the pipelines
    • Name: organize all the pipelines in an alphabetical order
    • Date: of the pipeline last modified in its build system in the order of latest to old dates
  • Search: your pipeline with partial or full name of your pipeline or repository to which it is connected


Pipeline detailed view

The pipeline detailed view shows the security issues found in a pipeline during its scanning and all the information about the pipeline.


The pipeline detailed view shows the following information:

  • Full details of the pipeline with the severity assigned to it
  • Overview and details of the misconfigurations detected in the pipelines


The pipeline detailed view has two tabs:

  • Overview
  • Findings


Overview

This tab shows the following information:

  • Total number of misconfigurations detected in the pipeline 
  • Top Severity Findings: A maximum of latest five misconfigurations with highest severity



Findings

This tab shows the following information:

  • List of all misconfigurations
  • Basic information of all misconfigurations such as the check which detected the instance, date of detection, description of the misconfiguration, and its severity
  • Misconfiguration detail view: click any misconfiguration in the list, to see a window that provides full details about the misconfiguration and the check which detected it. In the detailed view of a few misconfigurations, you can find a link which navigates you to the pipeline file in the build system where misconfiguration is detected.

You can filter the list by one of the misconfiguration severity levels: critical, high, medium, low, or unknown at the top of the page. The following screenshot shows the list filtered with all misconfigurations with high severity:



Suppress misconfiguration

From the misconfiguration detailed view, you can suppress all the misconfigurations detected by the specific check to acknowledge fixing them later.


To suppress the misconfiguration:

  1. In the misconfiguration detailed view, click Suppress Misconfiguration. Suppress Check dialog appears which shows the check which detected misconfiguration in the pipeline.
  2. Select the Suppression Type as "Pipeline" and enter the remaining details in the dialog. For more information, refer to Create Suppression Rules.
  3. Click Suppress. The specific check is suppressed for now.