Overview

When Bridgecrew is connected to Version Control Systems and CI/CD platforms, every scan generates a fully contextualized Code Review scan result.
The section of the code which resulted in the error is highlighted and metadata (such as Run time and ID, etc.) is displayed. Depending on the type of scan (VCS scan or CI/CD run) and the status of a PR (latest commit/not latest/commit and PR-open/PR-closed) you will be able to perform functions such as: Suppress, Fix, Search for a specific Run or view Resource Explorer data.

📘

Code Review Grid

In addition to the methods available on the Projects page for browsing and locating Code Reviews, you can also see a structured table of Code Reviews here. The Code Review grid includes errors found (1) during scans of Pull Requests and (2) during CI/CD system runs.
Errors from these sources are also shown on the Projects screen. In addition, the Projects screen also includes errors found during scans of a repository's default branch.
(Default branch scans are not included in the Code Review grid.)

20122012

Click on 🚀 to navigate to open the Projects page

Navigate the Projects Page

Overview

You can locate a specific Code Review by browsing, searching or filtering.

Browse Source List

The dropdown list at the top of the Projects page includes all Code Review sources: VCS/Code Repositories and CI/CD runs.

  • The icon in the dropdown list at the top of the Projects page indicate the type of scan.
  • Code Reviews from repositories are grouped by the path of a folder.
  • Each entry within a path is for an error found in a specific resource within a specific file, as indicated in the entry's header.
  • In the example below, the file name is providers.tf and the string after :: is the resource name.
10091009

Code Review Source List

  • The image below shows a project whose source is a Code Repository project.
10221022

VCS-based Code Reviews

In the example below, the source is a CI/CD run, in this case, showing the results of a Bridgecrew Checkov scan. (See Get API Token.

10261026 10311031

Initiate Manual Scan

When visiting the Projects page, you will always view the results of the latest default scan, which occurs twice a day. However, you can also initiate a new scan manually at a time of your choice.
To initiate a new scan, go to the ellipsis menu at the top right corner of the Projects page and select Scan Now. The message "Starting a new scan" will pop at the bottom left corner of the page.

10871087 10671067

If the scan was initiated successfully, the message "Scan is now in progress" will be displayed.

430430

If you try to initiate a new scan when a previous scan is still in progress, the message "Executing new scan has failed - a scan is already in progress" will be displayed. You need to wait until the current scan is finished before initiating another scan.

611611

Search for a Code Review Source

To search for a specific source, or a specific source type, enter its name or part of its name. For example, if you enter "github" in the search, only Github repositories will be shown.

480480

Filter Errors within a Code Review Source

390390

You can filter for specific errors within a Code Review source based on: category, severity, tags , status or code status.

Status

Filter by status:
Errors - errors that have not been Fixed or Suppressed.
Suppressed - errors that have been Suppressed.
Passed - errors that have been fixed and not detected again in later runs.

The example below an issue that had has been suppressed by the user.

12771277

An error that has been Suppressed

The example below an issue that had previously failed, was fixed and passed in the most recent scan.

10091009

An error that was detected previously for this resource, fixed and not found in the current run

Category

Filter for errors based on a specific category, such as IAM, Monitoring or Networking.

Severity

Filter for errors based on severity: critical, high, medium, low.

Tags

Filter based on tagged individual key-value pairs, if defined.

Code Status

Filter based on which code has fixes.

Filter by User

As shown in the image below, you can filter within the default branch of a VCS-based source based on User.

999999

View Scan from Pull Requests

Introduction

In the case of scans from Code Repositories , you can view scans from the default branch or from Pull Requests (if enabled in Code Repository settings).
In the example below, the source is a Bitbucket repo integrated with Bridgecrew.
Select View PR Scans to see Code Reviews from Pull Requests.

448448

📘

Note

To see Code Reviews for every PR (and not only the default branch), you must enable Code Reviews in the Code Repository settings.
When enabled, View PR Scans will appear.

715715

Enable "Code Reviews" for scans of Pull Requests and CI/CD runs

Navigate to a Specific PR

  • As shown below, when viewing PR scans, you can drop down a list of PRs or search for a specific PR.
  • The name of the PR currently displayed is highlighted in bold.
  • The number of errors in a PR appears next to its name.
255255

Browse or Search PRs

Select a Commit or View Latest

Within a PR, you can view the latest commit, or select a commit from a list of those available.
By default, the newest commit is shown. You can navigate to older commits.

10241024

Choose a Specific Commit or View Latest

Manual Fix for Commit

In some cases, no automated Fix is available. In these cases the details of a manual Fix will appear upon selecting Submit.

  • Manual fixes appear only for a PR which is the most recent Commit.
  • You can find the most recent Commit by selecting View Latest.
  • After applying a manual fix, you will be redirected to Github opens to the relevant code. Select Mark as Fixed,
  • When you press Fix Manually - Github opens to the code where the Policy violation is located and then you press Mark as Fixed.

Return to Default Branch

When viewing PRs, you can return to the default branch by selecting View .

518518

View Scan from CI/CD System Run

  • CI/CD scans are listed from the newest to oldest, showing the Bridgecrew scan ID and the timing of the scan. Suppression can be performed on the newest (i.e., to specify this error type for this resource in future runs). For others, you can view the error and its guidelines but cannot Suppress.
  • If the specific CI system in use supports scans of differing branches (as opposed to the entire default branch) and is configured to do so, you can navigate to the different branches by pressing the arrow that will appear for navigating and selecting a specific scan.
  • If the default branch scanned is not named, the display will show "No Name".
10381038

Understanding the Code Review

Introduction

The image below shows the full details of a single error within an IaC file.

In the example below, note:
Right side:

  • The number of open issues in the snapshot (i.e., in a default branch or specific commit for VCS/Code Repository scans and a specific run for scans of CI/CD runs).

  • Resource metadata

  • Resource history
    In the main panel:

  • The part of the code that caused the code to be non-compliant with a Bridgecrew Policy.

  • Brief summary of the relevant Policy.

  • Options to Suppress or Fix the error.

📘

Note

Availability of the options to Suppress and Fix depends on the source and status of the Code Review. See the table below in Options Available per Source and Status.

627627

File Details

Policy and Severity

The colored row at the bottom shows a description of the Policy and its Severity.

Code Details and Proposed Fix

The body of the file information shows the details of the code and the proposed fix.

Suppress Error

10021002

Suppress or Fix an Error

You can Suppress any error.

  1. Press Suppress.
  2. Enter a comment.
  3. Press Suppress on the comment box.
461461

Suppress

This error will not be reported for this file in future scans.

Fix Error

An option to automatically Fix appears for most errors.

  1. Select FIX. The word FIX will be highlighted in a rectangle.
  2. Select SUBMIT . A PR will be opened in the integrated VCS/Code Repository containing the Fix for the relevant IaC file.

You can Fix and Submit one error at a time, or Fix multiple errors within a source grouping and press Submit only one time.

15701570

Fix Drift

In some cases, an option will appear to Fix Drift. See Drift Detection.

993993

Manual Fix

For errors found in Pull Requests (i.e., not in the default branch), in cases when an automatic fix is not available, details will appear for a Manual Fix , after you select Submit.

Options Available per Source and Status

The table below details the functions available depending on the source and status of the Code Review.

Source, Type/StatusSuppressFixSearchFilter by UserView Resource Explorer Data
Code Repository - Default BranchYYYYY
Code Repository - latest commit in an open PR
YYYN/AY
Code Repository - latest commit in closed PRYXXXY
CI/CD Run YXXXX