Overview

When Bridgecrew is connected to Version Control Systems and CI/CD platforms, every scan generates a fully contextualized Code Review scan result.
The section of the code which resulted in the error is highlighted and metadata (such as Run time and ID, etc.) is displayed. Depending on the type of scan (VCS scan or CI/CD run) and the status of a PR (latest commit/not latest/commit and PR-open/PR-closed) you will be able to perform functions such as: Suppress, Fix, Search for a specific Run or view Resource Explorer data.

📘

Code Review Grid

In addition to the methods available on the Projects page for browsing and locating Code Reviews, you can also see a structured table of Code Reviews here. The Code Review grid includes errors found (1) during scans of Pull Requests and (2) during CI/CD system runs.
Errors from these sources are also shown on the Projects screen. But in addition, the Projects screen also includes errors found during scans of a repository's default branch.
(Default branch scans are not included in the Code Review grid.)

Click on 🚀 to navigate to open the Projects pageClick on 🚀 to navigate to open the Projects page

Click on 🚀 to navigate to open the Projects page

Navigate the Projects Page

Overview

You can locate a specific Code Review by browsing, searching or filtering.

Browse Source List

The dropdown list at the top of the Projects page includes all Code Review sources: VCS/Code Repositories and CI/CD runs.

  • The icon in the dropdown list at the top of the Projects page indicate the type of scan.
  • Code Reviews from repositories are grouped by the path of a folder.
  • Each entry within a path is for an error found in a specific resource within a specific file, as indicated in the entry's header.
  • In the example below, the file name is providers.tf and the string after :: is the resource name.
Code Review Source ListCode Review Source List

Code Review Source List

  • The image below shows a project whose source is a Code Repository project.
VCS-based Code ReviewsVCS-based Code Reviews

VCS-based Code Reviews

In the example below, the source is a CI/CD run, in this case, showing the results of a Bridgecrew Checkov scan. (See Get API Token.

Search for a Code Review Source

To search for a specific source, or a specific source type, enter its name or part of its name. For example, if you enter "github" in the search, only Github repositories will be shown.

Filter Errors within a Code Review Source

You can filter for specific errors within a Code Review source based on: category, severity, tags , status or code status.

Status

Filter by status:
Errors - errors that have not been Fixed or Suppressed.
Suppressed - errors that have been Suppressed.
Passed - errors that have been fixed and not detected again in later runs.

The example below an issue that had has been suppressed by the user.

An error that has been SuppressedAn error that has been Suppressed

An error that has been Suppressed

The example below an issue that had previously failed, was fixed and passed in the most recent scan.

An error that was detected previously for this resource, fixed and not found in the current runAn error that was detected previously for this resource, fixed and not found in the current run

An error that was detected previously for this resource, fixed and not found in the current run

Category

Filter for errors based on a specific category, such as IAM, Monitoring or Networking.

Severity

Filter for errors based on severity: critical, high, medium, low.

Tags

Filter based on tagged individual key-value pairs, if defined.

Code Status

Filter based on which code has fixes.

Filter by User

As shown in the image below, you can filter within the default branch of a VCS-based source based on User.

View Scan from Pull Requests

Introduction

In the case of scans from Code Repositories , you can view scans from the default branch or from Pull Requests (if enabled in Code Repository settings).
In the example below, the source is a Bitbucket repo integrated with Bridgecrew.
Select View PR Scans to see Code Reviews from Pull Requests.

📘

Note

To see Code Reviews for every PR (and not only the default branch), you must enable Code Reviews in the Code Repository settings.
When enabled, View PR Scans will appear.

Enable "Code Reviews" for scans of Pull Requests and CI/CD runsEnable "Code Reviews" for scans of Pull Requests and CI/CD runs

Enable "Code Reviews" for scans of Pull Requests and CI/CD runs

Navigate to a Specific PR

  • As shown below, when viewing PR scans, you can drop down a list of PRs or search for a specific PR.
  • The name of the PR currently displayed is highlighted in bold.
  • The number of errors in a PR appears next to its name.
Browse or Search PRsBrowse or Search PRs

Browse or Search PRs

Select a Commit or View Latest

Within a PR, you can view the latest commit, or select a commit from a list of those available.
By default, the newest commit is shown. You can navigate to older commits.

Choose a Specific Commit or View LatestChoose a Specific Commit or View Latest

Choose a Specific Commit or View Latest

Manual Fix for Commit

In some cases, no automated Fix is available. In these cases the details of a manual Fix will appear upon selecting Submit.

  • Manual fixes appear only for a PR which is the most recent Commit.
  • You can find the most recent Commit by selecting View Latest.
  • After applying a manual fix, you will be redirected to Github opens to the relevant code. Select Mark as Fixed,
  • When you press Fix Manually - Github opens to the code where the Policy violation is located and then you press Mark as Fixed.

Return to Default Branch

When viewing PRs, you can return to the default branch by selecting View .

View Scan from CI/CD System Run

  • CI/CD scans are listed from the newest to oldest, showing the Bridgecrew scan ID and the timing of the scan. Suppression can be performed on the newest (i.e., to specify this error type for this resource in future runs). For others, you can view the error and its guidelines but cannot Suppress.
  • If the specific CI system in use supports scans of differing branches (as opposed to the entire default branch) and is configured to do so, you can navigate to the different branches by pressing the arrow that will appear for navigating and selecting a specific scan.
  • If the default branch scanned is not named, the display will show "No Name".

Understanding the Code Review

Introduction

The image below shows the full details of a single error within an IaC file.

In the example below, note:
Right side:

  • The number of open issues in the snapshot (i.e., in a default branch or specific commit for VCS/Code Repository scans and a specific run for scans of CI/CD runs).

  • Resource metadata

  • Resource history
    In the main panel:

  • The part of the code that caused the code to be non-compliant with a Bridgecrew Policy.

  • Brief summary of the relevant Policy.

  • Options to Suppress or Fix the error.

📘

Note

Availability of the options to Suppress and Fix depends on the source and status of the Code Review. See the table below in Options Available per Source and Status.

File Details

Policy and Severity

The colored row at the bottom shows a description of the Policy and its Severity.

Code Details and Proposed Fix

The body of the file information shows the details of the code and the proposed fix.

Suppress Error

Suppress or Fix an ErrorSuppress or Fix an Error

Suppress or Fix an Error

You can Suppress any error.

  1. Press Suppress.
  2. Enter a comment.
  3. Press Suppress on the comment box.
SuppressSuppress

Suppress

This error will not be reported for this file in future scans.

Fix Error

An option to automatically Fix appears for most errors.

  1. Select FIX. The word FIX will be highlighted in a rectangle.
  2. Select SUBMIT . A PR will be opened in the integrated VCS/Code Repository containing the Fix for the relevant IaC file.

You can Fix and Submit one error at a time, or Fix multiple errors within a source grouping and press Submit only one time.

Fix Drift

In some cases, an option will appear to Fix Drift. See Drift Detection.

Manual Fix

For errors found in Pull Requests (i.e., not in the default branch), in cases when an automatic fix is not available, details will appear for a Manual Fix , after you select Submit.

Options Available per Source and Status

The table below details the functions available depending on the source and status of the Code Review.

Source, Type/Status

Suppress

Fix

Search

Filter by User

View Resource Explorer Data

Code Repository - Default Branch

Y

Y

Y

Y

Y

Code Repository - latest commit in an open PR

Y

Y

Y

N/A

Y

Code Repository - latest commit in closed PR

Y

X

X

X

Y

CI/CD Run

Y

X

X

X

X


Did this page help you?