Skip to main content

IaC Security Results

The IaC Security Result page contains 2 main sections that work in synergy.

  • Vulnerabilities Table

  • Code Viewer

Vulnerabilities Table

Vulnerabilities_Table.png

The Vulnerabilities Table displays the list of vulnerabilities that were found during the last IaC Security scan of the Project.

The scan results data is a reflection of a single IaC Security scan.

Grouping Vulnerabilities

Vulnerabilities are shown in a nested tree structure with two grouping levels - Primary and Secondary.

6415386101.png

By default, the Primary grouping is by Platform and the Secondary grouping is by Severity.

You can adjust the Primary and Secondary grouping to any of the column parameters. You can also select None to remove a grouping level.

  • None

  • Platform - Default Primary

  • Query Name

  • Severity - Default Secondary

  • Status

  • State

  • Issue Type

  • Category

  • File

5961285951.png

Filtering Vulnerabilities

5961023912.png

You can filter the vulnerabilities display by any column.

Filtering supports applying several filters at once (with an AND condition between the filtering options).

The following filtering options are available:

  • Status

  • Severity

  • State

  • Actual Value

  • Expected Value

Code Viewer

5961580841.png

The Code Viewer section enables viewing a specific source code vulnerability, including its detailed information.

Code Viewer section includes the following functionalities:

  • The panel is opened on demand by clicking on a vulnerability in the table.

  • The panel can be resized by dragging the bottom bar, which resizes the code viewer section vs. the vulnerabilities section.

  • An additional panel is integrated within the Code Viewer panel, containing the following options:

    • Changes Flow.png - Includes information about Severity and/or State changes that were performed for a specific vulnerability, in addition to added Comments.

    • Notes Note.png - Includes all the comments that were added for a specific vulnerability.

    • Description Info.png - Shows a brief description of this vulnerability. The bottom section shows the file where the vulnerability was identified, as well as the problematic “value” and the “expected value” for that element.

Opening Code Viewer

To open the Code Viewer section, perform the following:

  1. Click on a vulnerability grouping to expand the display. Continue drilling down until the individual vulnerability instances are shown.

  2. Click on a vulnerability instance to show the relevant code in the Code Viewer window.

Managing (Triaging) Results

Checkmarx One tracks specific vulnerability instances throughout your SDLC. Each vulnerability instance has a ‘Predicate’ associated with it, which is comprised of the following attributes: ‘State’, ‘Severity’ and ‘Notes’. After reviewing the results of a scan, you have the ability to triage the results and modify these predicates accordingly. For more info about triaging results in Checkmarx One, see Managing (Triaging) Vulnerabilities.

You can adjust the predicate for a specific vulnerability while viewing that vulnerability on the Scan Results page.

Warning

Only users with the Checkmarx One role update-result (e.g., a risk-manager) are authorized to make changes to the predicate. Only users with the role update-result-not-exploitable (e.g., an admin) are authorized to mark a vulnerability as ‘Not Exploitable’.

Triaging a Single Vulnerability

To edit the result predicate:

  1. Navigate to the vulnerability that you would like to edit.

  2. To adjust the severity, click on the Severity field, and select from the dropdown list the severity that you would like to assign. Options are: High, Medium, Low or Info.

    6429442145.png

  3. To adjust the state, click on the State field, and select from the dropdown list the state that you would like to assign. Options are: To Verify, Not Exploitable, Proposed Not Exploitable, Confirmed or Urgent.

  4. To add a note, click on the Note icon in the toolbar. In the Notes pane that opens, click + Add and then enter the desired text and click the Add button at the bottom.

    6416564252.png

Triaging Multiple Vulnerabilities (Bulk Action)

To edit the result predicate for multiple vulnerabilities:

  1. In the Vulnerabilities table, select the checkbox next to each vulnerability for which you would like to make the changes.

    Note

    Alternatively, you can select all instances in a group of vulnerabilities by selecting the checkbox at the top of that section.

    A menu bar is shown at the top of the table.

    IaC_Triaging_Multiple_Vulnerabilities.png

  2. To adjust the severity, click on the Change Severity button, and select from the dropdown list the severity that you would like to assign.

    Options are: High, Medium, Low or Info.

    IaC_Change_Severity.png

  3. To adjust the state, click on the Change State button, and select from the dropdown list the state that you would like to assign.

    Options are: To Verify, Not Exploitable, Proposed Not Exploitable, Confirmed or Urgent.

    IaC_Change_State.png

  4. To add a note, click on the Add Note button. In the Notes pane that opens, enter the desired text and click Save.

    IaC_Add_Note.png
In this section: