Skip to main content

Container and IaC Analysis

You can access the results of container and IaC scans, performed from the CLI, on the Veracode Platform. The Veracode Platform provides a visual representation of the severity count of scan findings, categorized as critical, high, medium, and low. In addition, you can search and filter findings, view scan history, and receive mitigation guidance.

Each container scan is performed on an asset. The types of assets you can scan are repository, directory, container base image, and archive.

The scan type depends on the type of asset. The scan type for repository and directory is IaC; the scan type for image and archive is Container.

Access Container and IaC Analysis

To access Container and IaC Analysis, in the Veracode Platform, select Scans & Analysis, then select Container and IaC Analysis. The Container and IaC Analysis page lists the scanned assets along with the following information for each asset:

  • Asset type
  • Scan type
  • Source or location of the asset
  • Completion status of the scan
  • Count of the findings based on the severity for completed scans

The scanned assets appear in chronological order, with the most recently scanned assets listed first.

You can search the list based on an asset or source. To view the details of a scanned asset, select the asset. To filter the list based on given parameters, such as asset type and scan status, select Filter.

View scan summary

Scan summary displays details of scans for a scanned asset.

To complete this task:

  1. In the Veracode Platform, select Scans & Analysis, then select Container and IaC Analysis. The scanned assets are listed.
  2. Select the scanned asset for which you want to see scan details. The scan summary of the latest scan is displayed.
  3. To see details of earlier scans, select a scan from the Scan Name dropdown.

The summary page of asset belonging to the container scan type (images and archives) has an extra field called Tag. For this asset, first select the tag, then select a scan from the Scan Name dropdown.

The Findings by severity graph provides a visual representation of the count of the findings based on the severity.

View scan findings

The Findings page shows details of each finding in a scanned asset. This information helps you to understand the finding and mitigate it.

Finding information displayed about a finding is as follows:

  • The finding ID based on the finding type.
  • A brief description on the finding.
  • Finding type which could be vulnerability, misconfiguration or secret.
  • The file or location where the finding was identified.
  • The severity of the finding
  • The line number in the code where this finding is present.
  • A reference URL that provides insight into the finding.
  • A suggested fix that can mitigate or resolve the finding.

To complete this task:

  1. In the Veracode Platform, select Scans & Analysis, then select *Container and IaC Analysis. The scanned assets are listed.
  2. Select the scanned asset for which you want to see scan details. The scan summary of the latest scan is displayed.
  3. Select the Findings tab. The list of findings along with corresponding details are displayed.

You can search based on the finding ID or description using the search box. To filter the finding based on finding type or severity, select Filter.

View policy violations

The policy details page shows how the asset has violated policy requirements.

To complete this task:

  1. In the Veracode Platform, select Scans & Analysis, then select Container and IaC Analysis. The scanned assets are listed.
  2. Select the scanned asset for which you want to see scan details. The scan summary of the latest scan is displayed.
  3. Select the Policy details tab. The files that did not meet policy requirements along with corresponding descriptions are displayed.

You can search for a file using the search box.

View scan history

The Scan history page shows the list of scans performed along with the following information for each scan:

  • The date the scan was performed.
  • The user who performed the scan.
  • The count of findings based on the severity

Use the Scan history to track changes in reported findings.

To complete this task:

  1. In the Veracode Platform, select Scans & Analysis, then select Container and IaC Analysis. The scanned assets are listed.
  2. Select the scanned asset for which you want to see scan details. The scan summary of the latest scan is displayed.
  3. Select the Scan history tab. The list of scans performed for the asset is displayed.

You can search for a scan using the search box.

Last updated on