Skip to main content

Software Supply Chain Security Results Viewer

The Software Supply Chain Security results viewer shows detailed SCS results for the latest scan of a specific project.

This screen can be accessed in either of the following ways:

  • Go to the Workspace Workspace.png > Software Supply Chain Security tab and click on the row of the relevant project, or

  • Go to the Workspace Workspace.png > Projects tab, hover over the Results link for the relevant project and select the SCS results viewer.

The results are shown separately for each scanner. If the project was scanned by more than one scanner, then you can select which scanner results to show using the drop-down list in the header bar.

Image_026.png

The main screen shows risks identified by the selected scanner, grouped by category. Click on a category to expand the display and show the affected file/artifact and the suggest remediation action.

You can apply filters and/or enter free text search strings.

Image_027.png

OSSF Scorecard

When the Scorecard scanner is selected, results are grouped by the OSSF check that identified the risk.

Hover over the info icon next to the name of a check type to see a description of that check.

Click on a check type to expand the section and show a list of risks of that type.

Image_1168.png

The following table describes the information shown for each risk.

Item

Description

Severity

The severity of the risk.

File/Artifact

The path to the file or artifact in which the risk was detected.

Remediation

Provides a link to the OSSF documentation which includes remediation recommendations for the relevant OSSF check.

Secret Detection

When the Secret Detection scanner is selected, results are grouped by the type of secret detected. When you click on a type, a list of risks of that type is shown.

The following table describes the information shown for each risk.

Item

Description

Severity

The severity of the risk.

Note: The severity for all detected secrets is High.

File/Artifact

The path to the file or artifact in which the secret was detected.

Location

The line in which the secret was detected.

Validity

Indicates whether or not the secret is currently valid.

Remediation

Shows a few characters of the detected secret, with the remaining characters masked for security purposes. The recomended remediation for detected secrets is to first remove the secret from your file and then change the secret.