View details of the security of your builds | Fluid Attacks Help

View details of the security of your builds

Fluid Attacks' CI Agent  supports the DevSecOps methodology applied in your projects. The agent acts as a security gate within your continuous integration and continuous deployment (CI/CD) environments, preventing vulnerable code from reaching production . That is, the Agent monitors your  software versions and, if it detects vulnerabilities that have not been remediated nor accepted, automatically breaks the build to enforce their remediation, upholding your security standards. The rules to break the build can be configured at the organization level in the platform's Policies section, or at the group level in the Scope section.

You can see details of each of the CI Agent's executions in the DevSecOps section. This page guides you through it.

DevSecOps table

Your group's DevSecOps section features a comprehensive table that shows the execution history of the CI Agent within your pipeline. Gain deeper insights into each execution by simply clicking on the corresponding date.

Know the DevSevOps table on the Fluid Attacks platform

The following are brief descriptions of the table columns:

  • Date: The date and time the CI Agent was executed in your pipeline
  • Status: Whether vulnerabilities were found in the execution:
    • Vulnerable: Indicates that the agent identified at least one vulnerability that has not been fixed
    • Secure: Indicates that no unfixed vulnerabilities were found
  • Accepted vulnerabilities: The total number of vulnerabilities detected that are tolerated by your policies
  • Unmanaged vulnerabilities: The total number of vulnerabilities detected that break the build
  • Strictness: Whether breaking the build was enabled:
    • Strict: The CI Agent is configured to break the build if unmanaged vulnerabilities are detected, preventing deployment into production
    • Tolerant: The CI Agent only issues warnings for unfixed vulnerabilities, allowing deployment into production
  • Type: The security testing technique(s) with which the vulnerabilities were detected, where the following values are offered:
    • STATIC: Static application security testing (SAST)
    • DYNAMIC: Dynamic application security testing (DAST)
    • ALL: At least one vulnerability was found through SAST and at least one through DAST
  • Git root: The nickname of the Git repository whose changes were scanned by the CI Agent 
  • Identifier: The first eight characters of the CI Agent's run unique alphanumerical identifier

Filter the DevSecOps table

Info on required role
Role required: User, Vulnerability Manager or User Manager

By clicking on Filters, you access several options to limit the information shown in the table. 

Filter the DevSecOps table on the Fluid Attacks platform

Search the DevSecOps table

Info on required role
Role required: User, Vulnerability Manager or User Manager

Type on the search bar for the table to show you only the rows that contain your exact search term.

Search the DevSecOps table on the Fluid Attacks platform

Download a report of the Agent executions

Info on required role
Role required: User, Vulnerability Manager or User Manager

The platform allows you to download the information contained by the DevSecOps table in a comma-separated values (CSV) file. You just need to click on the Generate a report button and then confirm the delivery to your email.

Download DevSecOps table on the Fluid Attacks platformGenerate report button
Confirm DevSecOps report delivery on the Fluid Attacks platform
Confirmation window

View Agent execution details

Info on required role
Role required: User, Vulnerability Manager or User Manager

In the DevSecOps section, to gain more details about a specific CI Agent execution, click on its date.

Select an Agent execution on the Fluid Attacks platform

A pop-up window appears which provides a wealth of details about that specific run. Below Execution details there are data already present in the table plus the indication of the value of three policies applied in that execution.

View Agent execution policy details on the Fluid Attacks platform

Here are brief definitions of these policies:

  1. Severity threshold: The minimum CVSS score required for an unfixed vulnerability to break the build
  2. Grace period: The number of days during which newly discovered vulnerabilities do not break the build
  3. Days until it breaks: The number of days until vulnerabilities are considered technical debt and do not break the build

Below these details, you are presented with two tabs: Summary and Execution log.

    Summary

    This tab presents a table with information about all vulnerabilities identified by the CI Agent in its execution.

    See Agent execution summary on the Fluid Attacks platform

    The table has the following columns:

    1. Exploitability: The degree to which the vulnerability might lead to a successful attack, as measured by the CVSS (Common Vulnerability Scoring System)
    2. Status: Indicates that the lines of code, inputs or ports are Vulnerable (the vulnerability is present)
    3. Type: The security testing technique(s) with which the vulnerabilities were detected, as defined above
    4. Specific: The exact lines of code, inputs (e.g., password fields) or ports where the vulnerability was found
    5. Where: The file path where this vulnerability was found
    You can customize the visible columns in the table to focus on the data that matters most to you. Access this option by clicking on the Columns button.

    Hide execution summary columns on the Fluid Attacks platform

    You can also apply filters to narrow down the information displayed in the table, facilitating targeted analysis.

    Filter execution summary table on the Fluid Attacks platform

    Moreover, you can simply type what you are looking for in the search box, so that only the rows whose content match your search are shown.

    Search the execution summary table on the Fluid Attacks platform

    Execution log

    Tip on getting the execution log
    You can get the execution log in a JSON format by either using the --output CLI option and outputting the report to a file, or by querying the jsonLog attribute of forcesExecution in the platform's API.

    Understanding the CI Agent's execution log content can sometimes be challenging. This page section offers valuable tips and key information to help you interpret it effectively and extract maximum value from the data. The following are main elements to take into account:

    1. Arguments: The log's content depends on the parameters or arguments used during agent execution. For illustration purposes, the screenshots below show an example of an execution with the following arguments: --static, and --strict.
      2. View arguments in execution log on the Fluid Attacks platform

    2. Report body: The core of the report is the detailed information about the detected vulnerabilities.  Here is a brief explanation of the content characteristics shown for each of the latter:
      1. title: The category that best describes the vulnerability following Fluid Attacks' own classification
      2. url: The vulnerability URL on the platform
      3. stateIndicates the condition of the group regarding the type of vulnerability, where it is Vulnerable if the type is present
      4. exploitFrom the CVSS, probability of exploitation given the current state of techniques for it, exploit code availability, and actual exploitation "in the wild"
      5. severityThe type of vulnerability's severity score (from 0.1 to 10.0) using the CVSS
      6. vulnerableThe total number of unfixed vulnerabilities
      7. locationsThe vulnerabilities that were identified, for which the following is informed:
        1. typeWhether it is a vulnerability found by looking at the source code (static) or attacking the running application (dynamic)
        2. techniqueThe security testing technique with which the vulnerability was detected
        3. where: The file path where this vulnerability was found
        4. specific: The indication of the exact lines of code, inputs (e.g., password fields) or ports where the vulnerability was found
        5. state: Indicates that the lines of code, inputs or ports are Vulnerable (the vulnerability is present)
        6. severity: This specific vulnerability's severity score using the CVSS
        7. complianceWhether the vulnerability breaks the build
      View Agent execution log on the Fluid Attacks platform
    3. Summary: The report concludes with a summary highlighting the total number of unfixed vulnerabilities, the CI Agent's execution time, the policies verified, the vulnerability type's name and age, and the information of whether the build was broken or passed.
      4. View execution log summary on the Fluid Attacks platform
    Free trial message
    Free trial
    Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.