VCS and CI/CD pipeline scans produce findings, which are potential security risks in your VCS repositories and CI/CD pipeline configurations. These insights help assess and analyze the security posture of your VCS's and CI/CD pipelines.
The CI/CD risks Findings table is a filtered instance of the broader Findings table found under Cases & Issues, meaning it exclusively displays findings categorized as CI/CD pipeline risk findings. However, CI/CD pipeline risk Findings only displays findings detected during periodic scans. In contrast, the comprehensive Findings table includes all CI/CD pipeline risk findings regardless of their detection source, such as periodic, pull request (PR), and continuous integration (CI) scans.
The following table describes selected properties of the Findings table.
Property | Description |
|---|---|
Name | The name of the finding |
Created | When the finding was initially detected |
Last Updated | The last detection date of the finding |
Provider | The VCS including the CI/cD pipeline |
Sub Category | The CI/CD category that the findings belongs to. Values include:
|
Detection Method | The engine used to detect VCS and CI/CD findings. Default value: CI/CD Risk Scanner |
Finding ID | The unique identifier assigned to the finding |
Expanded Findings details
Click on a finding in the inventory table to open the Findings side card, which provides additional details about the finding.
Finding summary: Found at the top of the card. Includes the finding name, ID and type (Configuration for CI/CD risk findings)
Description: A description of the finding including its location
Timestamp: When the finding was last updated
Asset details: Includes Asset (The impacted asset. Clicking on the asset opens the asset side card without needing to navigate away to the asset section) and Asset Type (The specific asset type in which the CI/CD risk was identified)
Evidence: Provides evidence and contextual details within your SDLC containing the CI/CD risk finding:
Finding source
Data Source: The system or integration from which the finding data was originally pulled (such as GitHub or a CI/CD pipeline). Click the icon next to the data source to navigate to the data source itself
Run ID: The unique identifier of the specific scan execution during which this finding was detected
Collaborator: The individual or team responsible for contributing to the code or configuration where the finding was identified
Code context
Repository: The name of the version control repository where the finding was located
Branch: The specific branch within the repository containing the finding
File Path: The exact location of the finding within the repository file structure
First Hash: The commit hash of the first commit where this specific finding was introduced or detected
Scan metadata
Run ID: The unique identifier of the specific scan execution during which this finding was detected
Code: The file and code including the CI/CD risk in which the finding was detected