We have a component called the DevSecOps agent, which is an essential element for implementing DevSecOps in projects. The agent is included in CI/CD (Continuous Integration/Continuous Deployment) environments as a security gate, preventing vulnerable code from reaching production. Any change to the Target of Evaluation is continuously verified. The agent verifies the status of vulnerabilities and breaks the build to force the remediation of those that are open and unaccepted.
In the Policies section on the ARM, you can select and configure the conditions or policies that the agent must validate for breaking the build.
The DevSecOps section has a table showing a cumulative record of the execution of our DevSecOps agent in your pipeline. This table contains dates, numbers of vulnerabilities, types of testing, repositories assessed, among other data. You can access more details about each execution by clicking on the corresponding table row. These details include a new table with each vulnerability and its exploitability, status and location, among others.
In the DevSecOps section, there are seven filters available for the table. You can find them on the right side next to the search bar.
- Date: Allow you to set a range of dates during which our DevSecOps agent was executed in your pipeline.
- Status: Filter according to two possible statuses: Vulnerable and Secure. The Vulnerable status is given when the agent detects at least one open vulnerability. The Secure status is given when there is no open vulnerability affecting the transition to production.
- Vulnerabilities: The total number of open vulnerabilities identified by the Agent during the execution.
- Strictness: Lets you select between two applied agent modes: The Strict mode denotes that in that execution the agent was set to deny the deployment to production (break the build) when it detected at least one open vulnerability in the pipeline. The tolerant mode denotes that in that execution the agent was set to only give warnings when it detected open vulnerabilities in the pipeline, allowing deployment to production.
- Type: You have three options: SAST, DAST and ALL. These options correspond to what the agent recognized as the techniques with which vulnerabilities were detected, ALL being with both SAST and DAST.
- Git repository: In the corresponding field, you can partially or completely enter the name of one of the repositories evaluated by the agent. It will restrict the information in the table to the repositories with that name.
- Identifier: Is the Agent's run identifier number.
In the DevSecOps section, there is the Export button on the top left. Clicking on this button, you can download a CSV (comma-separated values) file containing all the information in the table of this section.
Clicking on any of our DevSecOps agent executions, you will see a pop-up window that provides more detailed information about that execution.
This pop-up window has two tabs: Summary and Execution log.
This tab shows a table that provides you with concise and clear information about all the vulnerabilities reported by our agent in a specific execution. You can see each vulnerability's location, exploitability, status and type (according to the technique that detected it).
Clicking on the Columns button, you can open a window to show or hide columns from the table, depending on the data you want to observe. Clicking on the Filters button, you can see some filter options for three of the columns, which you can use to restrict the set of information visible in the table. In addition, there is a search field for locations to the right of these two buttons.
This tab shows you the same log you can view in the pipeline after the agent's execution. Here the vulnerabilities are grouped by type (following our standardized set). Among other data, you can see the severity score of each type of vulnerability and how many vulnerabilities of that type are open, closed or accepted.