Resource Explorer

Overview

Exploring misconfigurations and errors across your resources is more efficient when you have the context of the specific resource the error was found in. Bridgecrew’s Resource Explorer gives you a focused view of the resource you are currently evaluating, allowing you to:

  • Make an educated decision regarding a specific error - prioritize its fix or suppress it.
  • Understand the connections between resources in your Resource Inventory or Supply Chain graph, and decide which of their properties might put them at risk or should not exist at all.
  • Explore the history of a specific resource - when it was first scanned and modified, and which errors Bridgecrew detected, suppressed or resolved.

Access

The Resource Explorer pane is always displayed on the right side of the screen after selecting a specific resource. You can access it from the following pages:

Projects

Select an error box to display the details about the relevant resource.

1142

Incidents

Select a resource from the resource list displayed below each detected policy.

1152

Supply Chain

Click on a supported resource node (IaC / package / runtime / build integrity resource). The Resource Explorer tab will display general details about the resource in this node, its history, and a detailed list of all the code errors / policies / vulnerabilities found in this resource, including their total number.

1162

Resource Inventory

Select a resource from the list.

1145

Resource Information

The Resource Explorer pane contains the following information tabs. Note that the information available depends on the resource type:

  • Details - displayed for all resources, the listed details vary according to the resource type.
  • Errors - available only for all resources
  • History - available only for runtime and IaC resources
  • Traceablility - available only for runtime and IaC resources

Details

Detailes include the properties of the configured resource, such as package name and version (for package resources), repository, code lines, Provider Deep Link for opening the resource via VCS or in CSP (for runtime resources), etc.

Note: the following AWS resources and their equivalent Terraform AWS provider resources also support Nework Access anslysis:

  • EC2 Instance
  • ELB
  • ALB
  • RDS Cluster
  • ElasticCache Cluster
  • EMR Cluster
  • Redshift Cluster
  • ElasticSearch Domain
  • EFS Mount Target
  • ECS Service
  • EC2 Security Group
  • EC2 Security Group Rule
    In addition, the following Terraform AWS provider and AWS resources support Encryption analysis:
  • Athena Database
  • Athena Workgroup
  • CloudTrail
  • CloudWatch Log Group
  • CodeBuild Project
  • CodeBuild Report Group
  • DAX Cluster
  • DocDB Cluster
  • DynamoDB table
  • EBS Volume
  • ECR Repository
  • EFS File System
  • EKS Cluster
  • Elasticache Replication Group
  • ElasticSearch Domain
  • AWS Kinesis Stream
  • MSK Cluster
  • Neptune Cluster
  • RDS Cluster
  • RDS Global Cluster
  • Redshift Cluster
  • S3 Bucket
  • S3 Bucket Inventory
  • S3 Bucket Object
  • SageMaker Feature Group
  • SNS Topic
  • SQS Queue
2872

AWS resource with Network Access analysis

2722

AWS resource with Encryption analysis

Errors

This tab displays the policies, vulnerabilities or code errors found in a selected resource.
For open source resources, select a vulnerability from the drop-down menu to display data such as CVE ID, fix version, risk factors, and more.

464

You can also select a non-compliant license (if found) from the same drop-down and view its details, such as the license type and additional data.

469

For build integrity or IaC resources, the Errors tab displays the misconfigured code excerpt (only from the default branch).

476

📘

Note

1, Automated fix suggestions are not available for errors in custom policies. For such errors, you can only select a manual fix.
2. Automated fix suggestions are only available for some out-of-the-box policies. Click See policy documentation to read the error description and the suggested fix, if available.

484

An out-of-the-box policy with an automated fix suggestion

History

A timeline of resource events: scans initiated, errors detected, resource modifications, etc. You can click on each historical event to expand it and view its full detail.

519

The following events are supported in the History display (for IaC and runtime resources only):

EventEvent TitleIaC ResourceRuntime Resource
Initial ScanWhen the first resource scan was conducted and which properties were detected
Resource ModifiedWhich resource properties were updated and when it was detected
CompliantWhen the policy was first detected as compliant for a single policy
Fix PR CreatedWhen a Pull Request for code fix was submitted (for a single policy)
Error RemediatedWhen a runtime incident was remediated by Bridgecrew’s playbook
Jira Issue CreatedWhen a Jira issue was created for a single error
Error SuppressedWhen a specific code error was suppressed
Error DetectedWhen a specific code error was first detected
Drift DetectedWhen a specific code drift was first detected
Error FixedWhen a specific code error was fixed

Traceability

Traceability tags connects build time (IaC) and runtime resources. They allow the user to locate run time resources that were deployed by a specific build time resource, detect drifts from IaC templates and trace the differences between cloud and code. Resource tagging can be done manually, automatically (using Yor), or by using the Bridgecrew tagging bot (Via Yor). See the Traceability for more information.
The Traceability tab in the Resource Explorer pane displays for each build time resource details of the runtime resource it deploys. Clicking the Resource link directs the user to the relevant runtime resource, and vice-versa (You need to select the Traceability tab again to see the change).

1143
1146

Traceability information for runtime and build time resources

Resource Dependencies

For some resources, a list of dependencies is displayed under Details:

  • Depends on - names of resources that the current resource configuration refers to and the specific property (or properties) that creates the dependency.
  • Dependants - names of resources that their configuration refers to the current resource and the specific property (or properties) that creates the dependency.

📘

Note

For packages, only direct dependencies are listed.

2878

An AWS EC2 resource with a list of dependencies