In this section, we answer frequently asked questions about our platform.
What is a group?
Each group corresponds to individual projects our clients create to manage their vulnerabilities separately. Inside a group on the platform, there are several sections that can be accessed according to the role and plan you are subscribed to. For more information on groups and sections, please see our Documentation.
Why do we advise you to create several groups?
It is recommended to create several separate groups, each dedicated to one project; you can have better visibility of vulnerabilities for their management, generate focused reports and certificates independently, have an organized view of the analytics, and have a better track of the details of each project you work on.
What are vulnerabilities?
What is the difference between Age and Last report in the Vulnerabilities table?
Age refers to how many days the vulnerability has been open, whereas last report is the total number of days passed since the vulnerability was last reported.
How do I suggest that a vulnerability is a false positive?
How can I see only the findings of the dynamic application security testing (DAST)?
How can I see vulnerabilities specific to a particular Git root?
In the search bar that you can find in the Vulnerabilities table, enter the nickname of the repository you are interested in, and the table will show you only the vulnerabilities reported in that repository.
How many pieces of evidence (images and videos) do I have access to?
There is a limit of six files (images or videos). However, these are constantly updated according to the reattacks or new vulnerabilities that may be reported.
What is a nickname?
Where can I find my repository's nickname?
How many hours do I have to wait for a response to a reattack request?
Up to 16 hours, according to our service-level agreement.
How to request a reattack?
A reattack can be requested from the Locations and To-do list section. You must select the vulnerability to attack followed by clicking the Reattack button. Then, the selected vulnerability will show the status Requested in the Reattack column for up to 16 hours. Remember to check the Consulting section for any new comments regarding the reattack.
How do I know that a requested reattack is in progress?
How do I generate a service certificate?
In the Vulnerabilities section, click on the Generate report button and select the Certificate option. However, this option will not be available if you have not filled out the Business Registration Number and Business Name fields in the Information section. Remember that the roles that can download certifications are user manager and vulnerability manager.
How do I generate the vulnerability report?
In the Vulnerability section, click the Generate report button and select which type of report you want to download, either technical or executive. Remember that you must register your mobile number beforehand to enable two-factor authentication to download the report. Remember that the roles that can download reports are user manager and vulnerability manager.
What is the difference between executive and technical reports?
The executive report is a summary report in PDF format, generally intended for personnel in management roles. This report contains concise and clear information on the vulnerabilities reported in the group. On the other hand, the technical report is an XLSX file where you have all the vulnerabilities reported in the group with their technical details.
What is the difference between members and authors?
Members refers to all users who can access your group to visualize information or manage vulnerabilities, scope and tags, among other things. Authors are all the developers or professionals who contribute to the repositories under evaluation.
What is the difference between our three consulting alternatives?
Consulting is one of the communication channels with users. You can find it in Locations, Groups and Events. Use the one in Locations when you have questions regarding a specific vulnerability. Use the one in Events to ask about the status or details of situations that are preventing security testing from resuming. And use the one in the main screen of a group to ask general questions about that group.
Why is a vulnerability still Vulnerable when it has been accepted permanently?
When a vulnerability is permanently accepted, the organization assumes the risk, not remediating it, so it will continue to be regarded as vulnerable.
What happens when a temporary acceptance treatment expires?
The treatment for that specific security issue reverts back to Untreated, and the remediation of such issue is assigned to the user who had requested the temporary acceptance.
If I apply policies to a group, will these apply to all roots of this?
Yes, it will apply to all repositories added in that group.
What is the difference between policy at the ORG and the group level?
Organization policies are those that you set globally and that will be inherited by all groups pertaining to that organization. For your management purposes, you may prefer to set specific group policies.
Must I only install Docker to run the DevSecOps agent from my local machine?
Yes, it is only necessary to use Docker if you manage the DevSecOps agent from your local machine. To see the Docker and agent installation steps visit our Documentation.
Does Fluid Attacks’ DevSecOps agent run locally or on the development infrastructure?
You can run it both ways.
How many arguments can I pass to run Fluid Attacks’ DevSecOps agent?
You can pass multiple arguments. To see the different options, check out our Documentation.
How often is it advisable to do docker pull to update the image?
It is up to the user to do it weekly or monthly.
In what mode can Fluid Attacks’ agent be run so it doesn't break the build?
In lax mode, opposite to strict mode.
Must all team members use the same token to run the DevSecOps agent in a group?
How can I start using the platform API?
To begin using the API, we recommend you read our step-by-step guide in our Documentation. Bear in mind that to make requests to the API you will need prior knowledge of the GraphQL language.
If you have any problems logging in to the platform, we recommend the following:
Log out of the platform, delete browser cache and cookies, log back in, and enter the group(s) with the inconvenience.
Try to access the platform from incognito mode or another browser and check if the problem also occurs.
Once the screenshot is displayed, you can also run one of the following JS commands from the browser's development console (usually accessed by pressing F12 in Windows and Linux environments): sessionStorage.clear() or localStorage.clear() and then refresh the web page.