Review findings in containers and IaC assets

You can review the results from Veracode Container Security scans in the Veracode Platform (explained in this section), using the Veracode CLI, or in the repos you scanned using Veracode Repository Scanning. The results show the vulnerabilities and risks for your containers and Infrastructure as Code (IaC) files, and details about the scans.

Access the results

The Veracode Platform provides a visual representation of the severity count of scan findings, categorized as critical, high, medium, and low.

You can also search and filter findings, assess the findings against your security policy, view the scan history of each scanned asset, and get mitigation guidance for each finding.

Before you begin:

• Ensure you set analysis_on_platform to true in your veracode.yml file before scanning.
• Ensure you have completed a scan using the Veracode CLI or using Veracode Repository Scanning in your repos.

To complete this task:

1. Sign in to the Veracode Platform.

2. Select Scans & Analysis > Container and IaC Analysis. The Container and IaC Analysis page opens and displays the following information for each asset. The scanned assets appear in chronological order, with the most recently scanned assets listed first.

   • Asset type and scan type
   • Source or location of the asset
   • Completion status of the scan
   • Count of the findings based on the severity for completed scans

3. To review the results for a scanned asset, select the asset's name. If several assets are listed, search for a specific asset or source.

4. To filter the list based on given parameters, such as asset type and scan status, select Filter.

View scan summary

The scan summary shows whether a scan passed policy requirements and provides details for a scanned asset. A scan passes a policy only if each of the findings in the scan passes the policy.

To complete this task:

1. In the Veracode Platform, select Scans & Analysis > Container and IaC Analysis. The scanned assets are listed.
2. Select the scanned asset for which you want to see scan details. The scan summary of the latest scan is displayed.
3. To see details of earlier scans, select a scan from the Scan Name dropdown.

The summary page of asset belonging to the container scan type (images and archives) has an extra field called Tag. For this asset, first select the tag, then select a scan from the Scan Name dropdown.

The Findings by severity graph provides a visual representation of the count of the findings based on the severity.

View scan findings

The Findings page in the Veracode Platform shows the following details about each finding in a scanned asset. This information helps you to understand the finding and mitigate it.

• The policy status of each finding, that is, whether the finding passed or failed the policy. If the asset was scanned without a policy, the status of the finding is not assessed.
• The finding ID based on the finding type.
• A brief description on the finding.
• Finding type which could be vulnerability, misconfiguration or secret.
• The file or location where the finding was identified.
• The severity of the finding
• The line number in the code where this finding is present.
• A reference URL that provides insight into the finding.
• A suggested fix that can mitigate or resolve the finding.

To complete this task:

1. In the Veracode Platform, select Scans & Analysis > Container and IaC Analysis. The scanned assets are listed.
2. Select the scanned asset for which you want to see scan details. The scan summary of the latest scan is displayed.
3. Select the Findings tab. The list of findings along with corresponding details are displayed.
4. Optionally, search for findings based on the finding ID or description using the search box.
5. To filter the finding based on finding type or severity, select Filter.

View scan history

The Scan history page shows the list of scans performed along with the following information for each scan:

• The date the scan was performed.
• The user who performed the scan.
• The count of findings based on the severity

Use the Scan history to track changes in reported findings.

To complete this task:

1. In the Veracode Platform, select Scans & Analysis > Container and IaC Analysis. The scanned assets are listed.
2. Select the scanned asset for which you want to see scan details. The scan summary of the latest scan is displayed.
3. Select the Scan history tab. The list of scans performed for the asset is displayed. To search for a scan, use the search box.