TABLE OF CONTENTS

Overview

After you integrate a source code management tool or a CI build system with Aqua, you can add code repositories hosted on them. When the code repositories are added, Aqua will scan all the code repositories and detect the security issues in them: vulnerabilities, IaC misconfigurations, sensitive data, and security issues detected by SAST (Static Application Security Testing) checks. After you integrate with a CI build system with Aqua, all the pipelines in the build system are discovered and misconfigurations in the pipelines are detected.

Navigate to the Risks page to see the security issues detected in all the code repositories and pipelines integrated with Aqua in one UI page. Each code repository scan detailed view shows the same security issues detected in the code repository and misconfigurations detected in the pipelines associated with the code repository.


This topic explains details of the security issues detected in all the code repositories added to Aqua and pipelines associated with the code repositories as displayed in the Risks page.


Risks list view

The Risks page has the following tabs:

  • Vulnerabilities
  • IaC Misconfigurations
  • Sensitive Data
  • Pipeline Misconfigurations
  • SAST


Vulnerabilities

Each entry (row) in this tab is an instance of a vulnerability detected in a package in a code repository. Therefore, if a given vulnerability was found in N packages, it will appear in the list N times.


The row corresponding to each vulnerability contains the following information:

  • Vulnerability: Vulnerability or CVE ID
  • Title: of the vulnerability
  • Repository: repository in which vulnerability was detected
  • File Path: file in the code repository which has packages in which vulnerability was detected
  • Package: package in the code repository in which vulnerability was detected
  • Vendor Fix: A checkmark indicates the availability of a software vendor fix for the vulnerability
  • Severity: of the vulnerability: Critical, High, Medium, Low, or Unknown



Other controls - Vulnerabilities

  • Search: with any vulnerability ID (CVE) to see the details of its presence in the code repositories
  • Filter: the vulnerabilities by:
    • Vendor Fix: whether a fix for the vulnerability is available from the software vendor
    • Repository Name: Enter the code repository name to filter the vulnerabilities detected in it
    • Package Name (in the code repository): Enter the package name to filter the vulnerabilities detected in it
    • File Path (in the code repository): Enter the file path to filter the vulnerabilities detected in it; one or multiple packages are stored in a file path in the code repository
  • Export: click this button to export all the vulnerabilities in a CSV file



  • Groupby: each Vulnerability to combine multiple instances of the same vulnerability detected in different packages in the code repositories. In this view, each vulnerability shows the number of instances it was detected across the packages in different code repositories. On clicking any record in this view, the vulnerability detailed view shows the list of code repositories and packages in which it was detected. If you click any instance in this detailed view, you can navigate to the specific code repository scan detailed view.



IaC Misconfigurations

Each entry (row) in this tab is an instance of an IaC misconfiguration detected in a resource in a code repository. Therefore, if a given IaC misconfiguration was found in N resources, it will appear in the list N times.


The row corresponding to each IaC misconfiguration contains the following information:

  • Check ID (Aqua's unique predefined check)
  • Title: of the IaC misconfiguration
  • Repository: Repository in which IaC misconfiguration was detected
  • File Path: File in the code repository which has resources in which IaC misconfiguration was detected
  • Resource: Resource in the code repository in which IaC misconfiguration was detected
  • Severity: of IaC misconfiguration: Critical, High, Medium, Low, or Unknown



Other controls - IaC misconfigurations

  • Search: with any Aqua's check ID or name to see the details of its presence in the code repositories
  • Filter: IaC misconfigurations by:
    • Resource (in the code repository): Enter the resource name to filter the IaC misconfigurations detected in it
    • Repository Name: Enter the code repository name to filter the IaC misconfigurations detected in it
    • File Path (in the code repository): Enter the file path to filter the IaC misconfigurations detected in it; one or multiple resources are stored in a file path in the code repository
  • Export: click this button to export all the IaC misconfigurations in a CSV file



  • Groupby: each IaC misconfiguration to combine multiple instances of the same IaC misconfiguration detected in different resources in the code repositories. In this view, each IaC misconfiguration shows the number of instances it was detected across the resources in different code repositories. On clicking any record in this view, the IaC misconfiguration detailed view shows the list of code repositories and resources in which it was detected. If you click any instance in this detailed view, you can navigate to the specific code repository scan detailed view.



Sensitive Data

Each entry (row) in this tab is an instance of sensitive data detected in a resource in a code repository. Therefore, if a given instance of sensitive data was found in N resources, it will appear in the list N times.


The row corresponding to each instance of sensitive data contains the following information:

  • Check ID
  • Title: of sensitive data
  • Repository: Repository in which the instance of sensitive data was detected
  • File Path: in the code repository which has resources in which sensitive data was detected
  • Resource: Resource in the code repository in which sensitive data was detected
  • Severity: of the sensitive data: Critical, High, Medium, Low, or Unknown



Other controls - Sensitive Data

Refer to the Other controls - IaC misconfigurations section above to see all the controls used to search, filter, group, and export all the instances of sensitive data detected across the code repositories.


Pipeline Misconfigurations

Each entry (row) in this tab is an instance of a misconfiguration detected in a pipeline. Therefore, if a given misconfiguration was found in N pipelines, it will appear in the list N times.


The row corresponding to each pipeline misconfiguration contains the following information:

  • Check ID (Aqua's unique predefined check)
  • Title: of the pipeline misconfiguration
  • Description: of the misconfiguration
  • Repository: Code repository to which the pipeline is associated
  • File Path: pipeline in which the misconfiguration was detected
  • Severity: of the pipeline misconfiguration: Critical, High, Medium, Low, or Unknown



Other controls - Pipeline misconfigurations

  • Search: with any Aqua's check ID or name to see the details of its presence in the pipelines
  • Filter: Pipeline misconfigurations by:
    • Repository Name: Enter the code repository name to filter the misconfigurations detected in the associated pipelines
    • File Path: Enter the pipeline to filter the misconfigurations detected in it
  • Export: click this button to export all the pipeline misconfigurations in a CSV file



  • Group by: each pipeline misconfiguration to combine multiple instances of the same misconfiguration detected in different pipelines. In this view, each misconfiguration shows the number of instances it was detected across the pipelines. On clicking any record in this view, the misconfiguration detailed view shows the list of code repositories and pipelines in which it was detected. If you click any instance in this detailed view, you can navigate to the specific code repository scan detailed view.



SAST

Each entry (row) in this tab is an instance of a security issue detected by a SAST check in a code repository. Therefore, if a given security issue was found in N code repositories, it will appear in the list N times.


The row corresponding to each security issue contains the following information:

  • Check ID (Aqua's predefined check)
  • CWE: CWE ID and its description
  • Repository: Code repository in which the security issue was detected
  • File Path: in the code repository which has resources in which the security issue was detected
  • Category: of the security issues such as Best Practice, Correctness, Maintainability, Performance, Portability, and Security
  • Severity: of the security issue: Critical, High, Medium, Low, or Unknown



Other controls - SAST

  • Search: with any Aqua's check ID or CWE ID to see the details of its presence
  • Filter: Pipeline misconfigurations by:
    • Repository Name: Enter the code repository name to filter the security issues detected in it
    • File Path: (in the code repository): Enter the file path to filter the security issues detected in it
    • CWE ID
    • Category: of the SAST check
  • Export: click this button to export all the pipeline misconfigurations in a CSV file



  • Group by: each check to combine multiple instances of the same security issue detected in different resources in the code repositories. In this view, each security issue shows the number of instances it was detected across the resources in different code repositories. On clicking any record in this view, the SAST check detailed view shows the list of code repositories and resources in which it was detected. If you click any instance in this detailed view, you can navigate to the specific code repository scan detailed view.



Risks detailed view

If you click any security issue in the list view, you will see a window that provides details about the security issue. In the detailed view, you will get a link to the resource or code snippet where the security issue was found; on clicking this, you can navigate to the code snippet directly to fix the security issue.


In the IaC misconfiguration detailed view, you can suppress the specific misconfiguration. For more information, refer to Code Repository Scan Detailed View document > Suppress misconfiguration section.


IaC misconfiguration detailed view is shown below. You can see a similar view for other security issues detailed view.