Select a repository row in the table to open its side panel. This provides a consolidated workspace for investigating repository assets and remediating associated security issues without navigating away from the asset inventory.
Ask the AppSec agentic assistant
From the Repositories table, → → from the agents menu, and query repository-specific insights (for example, scan coverage, risk posture, or gaps).
Additionally, you can click Ask AI in the side panel to access the Agentic agent.
Explore the repository context and lineage
Navigate through the following tabs in the side panel to review the repository context and lineage. This helps prioritize remediation efforts based on application criticality and assess the potential production impact of vulnerabilities:
Overview tab: Displays the severity breakdown of issues, repository properties (such as visibility, technologies, and owners), and current scan information including the scan type, branch name, last scan time, and health status
Internet Exposed: The code in the repository ultimately powers a publicly reachable cloud endpoint, calculated via the Code-to-Cloud graph
Deployed to Runtime: The repository code is deployed to production runtime environments through CI/CD pipelines
Public: The repository has public visibility in the VCS provider
Deprecated: The repository or its components are marked as deprecated
Cases: X Critical and High Cases when the repository has associated cases with Critical or High severity
Issues: Shows X Critical and High Issues when the repository has associated issues with Critical or High severity
For more information about scan management, refer to Application Security scans management.
Applications tab: Displays the business applications associated with the repository including business criticality ratings and risk scores
For more information about applications, refer to Defining Business Applications.
Code to Cloud tab: Displays the relationship graph visualizing the full lineage from the repository asset to deployed cloud workloads
Use the graph to perform the following supply chain investigations:
Trace build paths: Identify the specific CI/CD pipelines that build artifacts from the repository and verify pipeline status indicators to see if they are actively deploying to production
Map cloud infrastructure: Determine exactly which runtime cloud resources are provisioned from the IaC definitions stored in the repository
Assess blast radius: Trace paths down to the terminal deployment nodes, such as container images and cloud instances, to understand which production workloads are affected by a vulnerability originating in the codebase
For more information on Code to Cloud, refer to Code to Cloud.
Investigate and remediate issues by category
The repository side panel organizes issues detected within the repository's underlying assets into dedicated tabs by issue category. Selecting a finding opens the issue side card directly within the repository context, allowing you to investigate and remediate the risk without navigating away.
Tab name | Scanner type | Description |
|---|---|---|
Vulnerabilities | SCA | Known CVE vulnerabilities in open-source packages declared in dependency manifest files within the repository. Refer to Software Composition Analysis (SCA) vulnerability issues for more information |
Code Weaknesses | SAST | Security weaknesses in first-party source code detected through static analysis. Refer to Manage code weakness issues for more information |
Secrets | Secrets | Hardcoded credentials, API keys, tokens, and other sensitive values detected in source code and configuration files. Refer to Navigate to secrets issues for more information |
Package Integrity | SCA | Open-source packages with operational risk indicators (such as deprecated or unpopular packages) or license types that violate organizational compliance policies. Refer to Package integrity issues for more information |
IaC Configuration | IaC | Security misconfigurations in Infrastructure-as-Code templates. Refer to refer to Navigate to IaC misconfiguration issues for more information |
CI/CD Configuration | CI/CD | Security risks and misconfigurations in CI/CD pipeline definitions associated with the repository. Refer to CI/CD Risks for more information |
Execute asset actions
After reviewing the repository's health, you can perform the following operations from the Actions menu in the side panel.
Rescan a repository: Click to trigger an on-demand scan using the currently configured scanners
Export an SBOM: Click to generate and download a Software Bill of Materials.
Level: Select Repository to download the SBOM for the selected repository, or Organization to download all SBOM reports for the parent organization as a ZIP archive
Supported formats
CycloneDXv1.4: XML or JSONCycloneDXv1.5: XML or JSONCycloneDXv1.6: XML or JSONSDPXv2.3: JSON or TXT
Open in GitHub: Click to pivot directly to the native repository environment to investigate source code, review commit history, or initiate remediation through a pull request
View asset data: Click to view raw repository data in
JSON(default) or tree view
Reference
For detailed information on investigating and remediating issues, refer to Code Security scanners.