TABLE OF CONTENTS


Overview

The Build Pipelines page displays all the pipelines connected to the code repositories from different source code management tools that have been integrated with Aqua. After code repositories are integrated, Aqua will discover the build pipelines associated with the code repositories and display in the Build Pipelines page. Aqua will scan these pipelines and show the following information:


  • Misconfigurations: Aqua will detect all the misconfigurations in the pipelines. These misconfigurations are detected as per predefined checks performed by Aqua on the pipeline configurations. For more information, refer to Misconfigurations tab below.
  • Suspicious behavior: Upon integrating activity monitoring feature with the pipelines, Aqua will detect all the suspicious behavior findings in the pipelines. These findings are detected as per predefined checks performed by Aqua on the activities monitored in the pipelines. For more information, refer to Suspicious Behavior tab below.
  • Activity monitoring: Upon integrating activity monitoring feature with the pipelines, Aqua will monitor different activities in the pipelines and display in the UI. For more information, refer to Activity tab below.


You can create Assurance Policies with the specific controls to determine the compliance of the pipelines.

In the Supply Chain Security module, from the left menu, when you select Build Pipelines, you will see the Build Pipelines page as shown below.



The Code Repository detailed view > Pipelines tab shows all the misconfigurations detected in a build pipeline connected to the specific code repository.


Current Limitation

Build Pipelines are discovered, and misconfigurations are detected only when your Aqua instance is connected to the following source code management tool and CI/CD Build system combinations.


Source code management toolCI/CD build system
Azure or Azure ServerAzure Pipelines
GitHub or GitHub ServerGitHub Actions
GitLab or GitLab ServerGitLab CI/CD


If any other combination is integrated with Aqua, the Build Pipelines page is shown as blank.


Build Pipelines page

All build pipelines are organized into four categories:

  • All Pipelines: shows all pipelines discovered in all the code repositories from different source code management tools
  • Non-Compliant: Shows all the pipelines which are not compliant with at least one Assurance Policy.
  • Misconfigured: shows all pipelines which have at least one misconfiguration
  • Suspicious Behavior: Shows all pipelines in which suspicious behavior findings detected
  • Aqua Scanner Not Applied: pipelines in which Aqua scanner is not used as a scanning engine.  Aqua's Trivy Premium scanner (or simply "Trivy Premium") is Aqua's next generation scanning engine. It provides the best scanning results, and detects security issues (latest vulnerabilities, misconfigurations, etc.). We recommend you start using Trivy to offer best security to your applications.
  • SBOM Not Implemented: pipelines in which Aqua has detected that the standard practice of Software Bill of Materials (SBOM) not implemented
  • Activity Monitoring Not Applied: All pipelines in which Aqua's activity monitoring feature is not integrated


Other controls

The following controls appear at the top middle of the page to filter, sort, and search the pipelines:

  • Severity filter: to filter the pipelines by severity (critical, high, medium, low) of the misconfigurations or no issues detected
  • Sort by the following options
    • Severity: of the misconfigurations detected in the pipelines
    • Name: organize all the pipelines in an alphabetical order
    • Date: of the pipeline last modified in its build system in the order of latest to old dates
  • Search: your pipeline with partial or full name of your pipeline or repository to which it is connected
  • Other filters: filter your pipelines by:
    • Repository: Enter the repository name to which the pipelines are associated with
    • Provider: Select one or multiple source code management tools which offer the repositories for pipelines, such as GitHub, Bitbucket, and GitHub Server
    • Last modified: Pipelines which were modified in the last 24 hours, 7 days, or 30 days
    • Network: Enter the hostname or IP address to which a pipeline has made network calls to



Pipeline detailed view


The pipeline detailed view shows the following information:

  • A caution message if suspicious behavior is detected in the pipeline. Click Learn more in the banner to navigate to the Suspicious Behavior tab to see all suspicious behavior findings.
  • Status of the compliance with Assurance Policies: either Compliant or Non-compliant
  • Basic details of the pipeline and the highest severity of the security issues detected in it


The pipeline detailed view includes the following tabs:

  • Overview
  • Misconfigurations
  • Suspicious Behavior
  • Activity


Overview tab

This tab shows the following information:

  • Misconfigurations and Suspicious Behavior widgets: Total number of misconfigurations and suspicious behavior findings detected in the pipeline in different widgets
  • Top Severity Findings: The top four misconfigurations and suspicious behavior findings of the highest severity



Misconfigurations tab

This tab shows the following information:

  • List of all misconfigurations
  • Basic information of each misconfiguration: check which detected the misconfiguration, title, repository and file path in which it is detected, and its severity
  • Misconfiguration detail view: click any misconfiguration in the list, to see a window that provides full details of the misconfiguration and the check which detected it. The detailed view of a few misconfigurations offers a link which navigates you to the resource in the pipeline directly from the Aqua UI to find the misconfiguration and fix it.



Other controls - misconfigurations

  • Search: with any Aqua's check ID or name to see the details of its presence in the pipeline
  • Filter: Pipeline misconfigurations by repository name: Enter the code repository name to filter the misconfigurations detected in the pipelines associated with the repository
  • Export: click this button to export all the misconfigurations in a CSV file
  • Group by: Aqua's check ID to combine the misconfigurations detected by a specific check in the pipeline. On clicking any record in this view, the detailed view shows the number of instances the misconfiguration was detected in the associated code repository. If you click any instance in this detailed view, you can navigate to the specific code repository scan detailed view.



Suppress misconfigurations

In the detailed view of the misconfiguration, you can manually suppress all misconfigurations detected by the specific check, which will temporarily dismiss the corresponding findings, starting from the moment the suppression is applied. However, it is important to note that existing findings of the same misconfiguration cannot be suppressed.


To suppress the misconfiguration:

  1. In the misconfiguration detailed view, at the bottom right of the pane, click Suppress. Suppress Check dialog appears which shows the check which detected misconfiguration in the pipeline.
  2. In the Suppress Check dialog, enable Apply only for this finding instance to apply the rule to the misconfiguration detected in the specific code repository, file, and line number. If you do not enable this, suppression will be applied to all instances of the security issue detected in the code repository in the specific branch.
  3. Enter a name for the rule. Upper and lowercase letters, digits, dashes, and underscores are allowed.
  4. Enter a reason for the rule.
  5. (Optional) Select the "Disable rule" checkbox and define the number of days after which the suppression rule should be disabled automatically. If you do not select this checkbox, the suppression rule will be disabled in one day automatically.
  6. Click Suppress. The specific check is suppressed starting from now until the rule is disabled according to the above configuration. This suppression guarantees the successful building of the code despite the presence of misconfiguration.



Suspicious Behavior tab

This tab shows suspicious behavior findings observed in the pipeline such as different activity patterns or changes from previous scans. To see the suspicious behavior findings, you must integrate the activity monitoring feature with the pipeline. These findings are observed as per predefined checks performed by Aqua on the pipeline configurations. Each suspicious behavior finding is recorded as a security issue with a specific severity assigned by Aqua. This tab shows the following information:


  • List of all suspicious behavior findings
  • Basic information of each finding: check which detected the finding, title, pipeline job name, step name in the pipeline configuration, and its severity
  • Suspicious behavior detailed view: Click any finding in the list, to see a window that provides full details of the finding and the check which detected it. Each Aqua's check is joined with a similar check in MITRE ATTACK. A link to the MITRE ATTACK check is shown in this tab; on clicking the link, MITRE ATTACK website opens in a new tab which shows the details of the similar check.
  • Suppress the finding: In the Suspicious behavior detailed view, click Suppress to suppress the finding. For more information, refer to the Suppress misconfiguration section above.



Activity tab


This tab shows different activities monitored in the pipeline upon integrating the activity monitoring feature with the pipeline. This feature monitors different activities such as secrets exfiltration, code tampering, detection of network calls to different URLS and IP addresses, and crypto mining.


This tab shows different activities monitored in the pipelines and categorized by the following activity types:

  • Network: All the network calls made, such as calls to the external URLs and IP addresses
  • Files: Adding, changing, and deleting files in the code repositories associated with the pipelines
  • Containers: Running containers discovered if the images with run commands exist in the pipelines
  • Processes: Any processes executed through the pipelines



Integrate activity monitoring


  1. Navigate to any pipeline detailed view > Activity tab.
  2. In the middle of the page, click Integrate. A dialog appears which shows the instructions to add pipeline activity monitoring feature to the pipeline.



       3. Select SCM type and build system type. Aqua currently supports GitHub and GitHub Workflows for the SCM and build system types respectively.

       4. Add the variables: AQUA_KEY and AQUA_SECRET to your GitHub Organization encrypted secrets. For more information, refer to GitHub documentation, Creating encrypted secrets for an organization. You can get AQUA_KEY and AQUA_SECRET from the Account Management > Settings > API Keys. These secrets are required to identify the Aqua environment to which the pipeline will be integrated and the monitored activities will be recorded.

       5. Copy the following script and add it as a step after the checkout step in the pipeline configuration. If there is no checkout step in the pipeline configuration, add the script at the beginning in the pipeline configuration.