When Bridgecrew is connected to Version Control Systems and CI/CD platforms, every scan generates a fully contextualized Code Review scan result.
The section of the code which resulted in the error is highlighted and metadata (such as Run time and ID, etc.) is displayed. Depending on the type of scan (VCS scan or CI/CD run) and the status of a PR (latest commit/not latest/commit and PR-open/PR-closed) you will be able to perform functions such as: Suppress, Fix, Search for a specific Run or view Resource Explorer data.
Code Review Grid
In addition to the methods available on the Projects page for browsing and locating Code Reviews, you can also see a structured table of Code Reviews here. The Code Review grid includes errors found (1) during scans of Pull Requests and (2) during CI/CD system runs.
Errors from these sources are also shown on the Projects screen. In addition, the Projects screen also includes errors found during scans of a repository's default branch.
(Default branch scans are not included in the Code Review grid.)
You can locate a specific Code Review by browsing, searching or filtering.
The dropdown list at the top of the Projects page includes all Code Review sources: VCS/Code Repositories and CI/CD runs.
- The icon in the dropdown list at the top of the Projects page indicate the type of scan.
- Code Reviews from repositories are grouped by the path of a folder.
- Each entry within a path is for an error found in a specific resource within a specific file, as indicated in the entry's header.
- In the example below, the file name is providers.tf and the string after :: is the resource name.
- The image below shows a project whose source is a Code Repository project.
In the example below, the source is a CI/CD run, in this case, showing the results of a Bridgecrew Checkov scan. (See Get API Token.
When visiting the Projects page, you will always view the results of the latest default scan, which occurs twice a day. However, you can also initiate a new scan manually at a time of your choice.
To initiate a new scan, go to the ellipsis menu at the top right corner of the Projects page and select Scan Now. The message "Starting a new scan" will pop at the bottom left corner of the page.
If the scan was initiated successfully, the message "Scan is now in progress" will be displayed.
If you try to initiate a new scan when a previous scan is still in progress, the message "Executing new scan has failed - a scan is already in progress" will be displayed. You need to wait until the current scan is finished before initiating another scan.
To search for a specific source, or a specific source type, enter its name or part of its name. For example, if you enter "github" in the search, only Github repositories will be shown.
You can filter for specific errors within a Code Review source based on: category, severity, tags , status or code status.
Filter by status:
Errors - errors that have not been Fixed or Suppressed.
Suppressed - errors that have been Suppressed.
Passed - errors that have been fixed and not detected again in later runs.
The example below an issue that had has been suppressed by the user.
The example below an issue that had previously failed, was fixed and passed in the most recent scan.
Filter for errors based on a specific category, such as IAM, Monitoring or Networking.
Filter for errors based on severity: critical, high, medium, low.
Filter based on tagged individual key-value pairs, if defined.
Filter based on which code has fixes.
As shown in the image below, you can filter within the default branch of a VCS-based source based on User.
In the case of scans from Code Repositories , you can view scans from the default branch or from Pull Requests (if enabled in Code Repository settings).
In the example below, the source is a Bitbucket repo integrated with Bridgecrew.
Select View PR Scans to see Code Reviews from Pull Requests.
To see Code Reviews for every PR (and not only the default branch), you must enable Code Reviews in the Code Repository settings.
When enabled, View PR Scans will appear.
- As shown below, when viewing PR scans, you can drop down a list of PRs or search for a specific PR.
- The name of the PR currently displayed is highlighted in bold.
- The number of errors in a PR appears next to its name.
Within a PR, you can view the latest commit, or select a commit from a list of those available.
By default, the newest commit is shown. You can navigate to older commits.
In some cases, no automated Fix is available. In these cases the details of a manual Fix will appear upon selecting Submit.
- Manual fixes appear only for a PR which is the most recent Commit.
- You can find the most recent Commit by selecting View Latest.
- After applying a manual fix, you will be redirected to Github opens to the relevant code. Select Mark as Fixed,
- When you press Fix Manually - Github opens to the code where the Policy violation is located and then you press Mark as Fixed.
When viewing PRs, you can return to the default branch by selecting View .
- CI/CD scans are listed from the newest to oldest, showing the Bridgecrew scan ID and the timing of the scan. Suppression can be performed on the newest (i.e., to specify this error type for this resource in future runs). For others, you can view the error and its guidelines but cannot Suppress.
- If the specific CI system in use supports scans of differing branches (as opposed to the entire default branch) and is configured to do so, you can navigate to the different branches by pressing the arrow that will appear for navigating and selecting a specific scan.
- If the default branch scanned is not named, the display will show "No Name".
The image below shows the full details of a single error within an IaC file.
In the example below, note:
The number of open issues in the snapshot (i.e., in a default branch or specific commit for VCS/Code Repository scans and a specific run for scans of CI/CD runs).
In the main panel:
The part of the code that caused the code to be non-compliant with a Bridgecrew Policy.
Brief summary of the relevant Policy.
Options to Suppress or Fix the error.
Availability of the options to Suppress and Fix depends on the source and status of the Code Review. See the table below in Options Available per Source and Status.
The colored row at the bottom shows a description of the Policy and its Severity.
The body of the file information shows the details of the code and the proposed fix.
You can Suppress any error.
- Press Suppress.
- Enter a comment.
- Press Suppress on the comment box.
This error will not be reported for this file in future scans.
An option to automatically Fix appears for most errors.
- Select FIX. The word FIX will be highlighted in a rectangle.
- Select SUBMIT . A PR will be opened in the integrated VCS/Code Repository containing the Fix for the relevant IaC file.
You can Fix and Submit one error at a time, or Fix multiple errors within a source grouping and press Submit only one time.
In some cases, an option will appear to Fix Drift. See Drift Detection.
For errors found in Pull Requests (i.e., not in the default branch), in cases when an automatic fix is not available, details will appear for a Manual Fix , after you select Submit.
The table below details the functions available depending on the source and status of the Code Review.
|Source, Type/Status||Suppress||Fix||Search||Filter by User||View Resource Explorer Data|
|Code Repository - Default Branch||Y||Y||Y||Y||Y|
|Code Repository - latest commit in an open PR||Y||Y||Y||N/A||Y|
|Code Repository - latest commit in closed PR||Y||X||X||X||Y|
Updated 8 months ago