TABLE OF CONTENTS

Overview

This onboarding flow helps you gain a general overview of your organization’s security posture for setting the required security gates to make sure the defects are stopped at the initial stages of the application code development and CI/CD process. We will walk you through the process of: 

  • Signing up with Aqua
  • Integrating with the source code management tools, CI/CD build systems, and pipelines
  • Setting up security policies
  • Assessing and remediating security risks in your organization's software supply chain.


Sign into Aqua

Visit https://cloud.aquasec.com in your web browser and log into Aqua.


Refer to Supply Chain Security Overview to understand the Aqua's software supply chain security offering.


Navigation to the Supply Chain Security module


In the top left of the Aqua Home page, click the mega-menu and select Supply Chain Security.


Integrations

Aqua supports integrating with the following in the CI/CD process.


Integrate a source code management tool


Integrate a source code management tool to scan the code repositories in it and display all the security issues detected. When integrating a source code management tool, you can select the specific code repositories for scanning. You can also add more code repositories in a source code management tool anytime later from the Code Repositories page.


Integrate the CI build process

Establish the CI integrations by adding the Aqua Trivy Premium Scanner to the build pipeline. This integration will enable Aqua to scan one of the following:

  • Pull Request: to scan the specific code changes in a pull request and detects security issues in the code changes
  • Push: to scan the newly built code repository when code is pushed to a branch to detect security issues in each release build and in the connected code repository


Integrate the build platforms to detect security issues

Integrate with the CI/CD build platforms to detect the security issues in the build platforms.


Integrate the CI/CD build pipeline to discover release artifacts

Integrate with the CI/CD build pipeline to discover release artifacts created after building your application code using the specific code repository. 


Risk Assessment

Overview of scan results on all the code repositories

A code repository is scanned daily when its source code management tool is integrated or when a pull request or on-push scanning to this code repository is triggered.

From the left menu, navigate to the Code Repositories page to see the scan results. This page will give an overview of the following security issues detected in each code repository: 

  • Vulnerabilities, misconfigurations, and sensitive data detected in the code repositories 
  • Misconfigurations in the pipelines connected to the code repositories


For detailed information, refer to Code Repositories and Checks.


Scan results of the specific code repository

In the Code Repositories page, click any code repository to see the detailed view of its scanning results. The scan results include the following information, to explain briefly:

  • Overview: compliance status and overview of all the security issues detected in the code repository
  • Vulnerabilities, Sensitive data, and Misconfigurations: detailed information on the security detected in the code repository. Detailed information of each instance of sensitive data or misconfiguration shows the specific line in the resource where the security issue is detected. This will help you navigate to the location and fix the security issue.
  • Pipelines: all the misconfigurations detected in the pipelines connected to the code repository
  • SAST results: Aqua performs Static Application Security Testing (SAST) checks performed on the application code in the code repositories and shows results of these checks. These results help developers identify security issues in the initial stages of development and resolve the issues to prevent passing the security issues to the next phase of the SDLC (Software Development Lifecycle). 
  • Builds: using the code repository and includes all the security issues detected in each build triggered by either pull request or push scanning
  • Artifacts: all the release artifacts created from the specific code repository
  • Dependencies: details of the dependencies used in building the application code in the code repository and vulnerabilities detected in each dependency
  • Tool Chain: Failed checks in different stages in the supply chain to secure your CI/CD infrastructure.


For detailed information, refer to Code Repository Scan Detailed View.


Security issues in the code repositories

You can see all the security issues: vulnerabilities, sensitive data, and IaC misconfigurations detected in all the code repositories added to Aqua in one UI page: Risks.


Discovery of the dependencies in the code repositories

When code repositories are added to Aqua, all the packages used for building the application code in these code repositories are discovered and displayed in the Dependencies page. Aqua performs a detailed analysis of the packages and displays details of each package and the results of the analysis on the packages. After studying the details of all the packages, you may decide to continue using the same package for your application code or try using another version of the same package or a different package.


Scan results of the build pipelines

From the left menu, navigate to the Build Pipelines page to see all the pipelines connected to the code repositories from different source code management tools and all the misconfigurations detected in these pipelines.


Scan results of the release artifacts

From the left menu, navigate to the Release Artifacts page to see all the release artifacts created after building your application code from the code repository associated with the CI/CD build system. You can see each stage of creating release artifacts: Code, Build, Artifact, and Dependencies used to create them including vulnerabilities detected in the dependencies.


Scan results of the tool chain

After you integrate with a source code management tool, navigate to the Tool Chain page to see all the security issues detected in the source code stage of the software supply chain.


After you integrate with any build platform, navigate to the Tool Chain page to see all the security issues detected in the build stage of the supply chain.


In each failed check, you get remediate steps to resolve security posture issues.


Scan results of the builds in the CI/CD process

After establishing the CI integrations through either the pull request or push scanning options, navigate to the code repository detailed view > Builds tab to see the builds discovered and the security issues detected in them. You can also see the same scan results in your CI/CD build system.


After integrating the code repositories or build platforms and scanning them, you can have a general overview of the security posture on your organization's software supply chain. You can now focus on setting the required security gates to make sure the security issues are blocked entering at the initial stages of the CI/CD process.


Configure Assurance Policy

You can configure an Assurance Policy to act as your organization's security policy for the software supply chain. This Policy can mark the code repositories non-compliant and fail a build or pull request if the configurations in the code repositories, build platform, and pipelines do not match the criteria set in the Policy.


You can set different controls in the policy such as presence of sensitive data, specific vulnerabilities, or misconfigurations. For more information on these policies, refer to Assurance Policies.


Suppress security issues

You can ignore the specific security issues (misconfigurations, sensitive data instances, and vulnerabilities) detected which are not relevant to your organization by creating suppression rules. This operation will customize receiving the required security issues which need your attention. For more information, refer to Create Suppression Rules.