Code Root

Overview

For each Code Root, you are able to drill down into different views. Specifically:

• Dependency Findings

• Code Findings

• Dependency Remediations

• Dependencies

• API Endpoints

• Contributors

• Guardrail Executions

These views provide insight into, for a given Code Root, analysis of its security weaknesses, identification of its dependencies with relevant findings and remediations, its API endpoints, its contributors, and finally what, if any, Guardrail executions are in place and have activated.

Dependency Findings

Dependency Findings are open source findings, unlike Code Findings, and are listed by title with details on severity, vulnerable versions, fixed versions, and more.

For each Finding, there is a linked view of Finding Details, Vulnerability Details, and a description.

Code Findings

Code Findings, which are first party code findings, includes the results from Static Application Security Testing and Software Composition Analysis of your code with details on the Finding source, severity, confidence of analysis, and number of instances of the Finding.

For each Finding, there is a drill down available to the actual files and file line numbers where the Finding is located with a link to go to the location in your code repository.

Dependency Remediations

If there are known Dependency Remediations, they are listed here in table format. The Remediations can be sorted by Severity, Fixability, and number of Findings. They can also be assigned to an individual.

For each Remediation, there are details such as a listing of related vulnerabilities, impact of implementing the Remediation, and other details. As in the Remediations listing, there is also a Push to Jira capability that creates a Jira ticket populated with remediation details, ownership, and SLO information.

Finally, there is a View Upgrade Guidance feature, so you can see the proposed solution, which is also the upgrade guidance pushed to Jira.

Dependencies

Dependencies lists the individual dependencies with aggregated information including version, license, number of Dependency Findings by severity, and [ @James explanation of Code/Build/Testing/Maintenance]....

Dependency details are accessible via link for each Dependency showing a list of its Findings, if any, and where it is located by Code/Repository and Code Root.

API Endpoints

API Endpoints lists the method and path of individual endpoints with additional information like file location of the endpoint definition, link to its location in the repository, and when it was first seen.

Contributors

Contributors lists the individuals who have roles, e.g., developers, reviewers, commenters, related to committing code to the specific Code Root of the repository.

Guardrail Executions

Guardrail Executions provides an audit trail of when individual Guardrails were executed against changesets and their results: Passed, Failed, Pending. Each entry also includes a link to view the Guardrail execution in the repository.

In addition, for each Guardrail execution, there are details on the Guardrail definition, i.e., rule parameters, scope parameters, and violations found, if any.