Review Container Security results in the Veracode Platform

You can review the results from Veracode Container Security scans in the Veracode Platform, using the Veracode CLI, or in the repos you scanned using Veracode Repository Scanning. The results show the vulnerabilities and risks for your containers and Infrastructure as Code (IaC) files, and details about the scans.

Access the scan results

The Veracode Platform provides a visual representation of the severity count of scan findings, categorized as critical, high, medium, and low.

You can also search and filter findings, assess the findings against your security policy, view the scan history of each scanned asset, and get mitigation guidance for each finding.

Before you begin:

• Ensure you set analysis_on_platform to true in your veracode.yml file before scanning.
• Ensure you have completed a scan using the Veracode CLI or using Veracode Repository Scanning in your repos.

To complete this task:

1. Sign in to the Veracode Platform.

2. Select Scans & Analysis > Container and IaC Analysis. The Container and IaC Analysis page opens and displays the following information for each asset. The scanned assets appear in chronological order, with the most recently scanned assets listed first.

   • Asset type and scan type
   • Source or location of the asset
   • Completion status of the scan
   • Count of the findings based on the severity for completed scans

3. To review the results for a scanned asset, select the asset's name. If several assets are listed, search for a specific asset or source.

4. To filter the list based on given parameters, such as asset type and scan status, select Filter.

View scan summary

The scan summary shows whether a scan passed policy requirements and provides details for a scanned asset. A scan passes a policy only if each of the findings in the scan passes the policy.

To complete this task:

1. In the Veracode Platform, select Scans & Analysis > Container and IaC Analysis. The scanned assets are listed.
2. Select the scanned asset for which you want to see scan details. The scan summary of the latest scan is displayed.
3. To see details of earlier scans, select a scan from the Scan Name dropdown.

The summary page of asset belonging to the container scan type (images and archives) has an extra field called Tag. For this asset, first select the tag, then select a scan from the Scan Name dropdown.

The Findings by severity graph provides a visual representation of the count of the findings based on the severity.

View scan findings

The Findings page in the Veracode Platform shows details about each finding in a scanned asset. This information helps you understand the finding and mitigate it.

To complete this task:

1. In the Veracode Platform, select Scans & Analysis > Container and IaC Analysis. The scanned assets are listed.

2. Select the scanned asset for which you want to see scan details. The scan summary of the latest scan is displayed. To see the scan summary of earlier scans, from Scan name, select a scan.

3. To view finding details of the latest scan, select the Findings tab. The following details for each finding in the scan are displayed:

   • The policy status of each finding, that is, whether the finding passed or failed the policy. If the asset was scanned without a policy, the status of the finding is not assessed.
   • The finding ID based on the finding type.
   • The finding type which could be vulnerability, misconfiguration, or secret.
   • The file or location where the finding was identified.
   • The severity of the finding and the CVSS score.
   • The detailed summary of each finding. Click View Details. In the right drawer, the following information is shown:
     • If the finding type is secret, the summary of the secret is displayed.
     • If the finding type is vulnerability, the summary of the vulnerability, the image details, exploitability score, and steps to mitigate are displayed.
     • If the finding type is misconfiguration, the summary of the misconfiguration, reference URLs and resource context are displayed.

4. Optionally, search for findings based on the finding ID or description using the search box.

5. To filter the finding based on given criteria, select Filter.

View scan history

The Scan history page shows the list of scans performed along with the following information for each scan:

• The date the scan was performed.
• The user who performed the scan.
• The count of findings based on the severity

Use the Scan history to track changes in reported findings.

To complete this task:

1. In the Veracode Platform, select Scans & Analysis > Container and IaC Analysis. The scanned assets are listed.
2. Select the scanned asset for which you want to see scan details. The scan summary of the latest scan is displayed.
3. Select the Scan history tab. The list of scans performed for the asset is displayed. To search for a scan, use the search box.