Resource Explorer
Overview
Exploring misconfigurations and errors across your resources is more efficient when you have the context of the specific resource the error was found in. Bridgecrew’s Resource Explorer gives you a focused view of the resource you are currently evaluating, allowing you to:
- Make an educated decision regarding a specific error - prioritize its fix or suppress it.
- Understand the connections between resources in your Resource Inventory or Supply Chain graph, and decide which of their properties might put them at risk or should not exist at all.
- Explore the history of a specific resource - when it was first scanned and modified, and which errors Bridgecrew detected, suppressed or resolved.
Access
The Resource Explorer pane is always displayed on the right side of the screen after selecting a specific resource. You can access it from the following pages:
- Projects
- Incidents
- Supply Chain
- Resource Inventory
See below how to access Resource Explorer from each page.
Projects
Select an error box to display the details about the relevant resource.
Incidents
Select a resource from the resource list displayed below each detected policy.
Supply Chain
Click on a supported resource node (IaC / package / runtime / build integrity resource). The Resource Explorer tab will display general details about the resource in this node, its history, and a detailed list of all the code errors / policies / vulnerabilities found in this resource, including their total number.
Resource Inventory
Select a resource from the list.
Resource Information
The Resource Explorer pane contains the following information tabs. Note that the information available depends on the resource type:
- Details - displayed for all resources, the listed details vary according to the resource type.
- Errors - available only for all resources
- History - available only for runtime and IaC resources
- Traceablility - available only for runtime and IaC resources
Details
Detailes include the properties of the configured resource, such as package name and version (for package resources), repository, code lines, Provider Deep Link for opening the resource via VCS or in CSP (for runtime resources), etc.
Note: the following AWS resources and their equivalent Terraform AWS provider resources also support Nework Access anslysis:
- EC2 Instance
- ELB
- ALB
- RDS Cluster
- ElasticCache Cluster
- EMR Cluster
- Redshift Cluster
- ElasticSearch Domain
- EFS Mount Target
- ECS Service
- EC2 Security Group
- EC2 Security Group Rule
In addition, the following Terraform AWS provider and AWS resources support Encryption analysis: - Athena Database
- Athena Workgroup
- CloudTrail
- CloudWatch Log Group
- CodeBuild Project
- CodeBuild Report Group
- DAX Cluster
- DocDB Cluster
- DynamoDB table
- EBS Volume
- ECR Repository
- EFS File System
- EKS Cluster
- Elasticache Replication Group
- ElasticSearch Domain
- AWS Kinesis Stream
- MSK Cluster
- Neptune Cluster
- RDS Cluster
- RDS Global Cluster
- Redshift Cluster
- S3 Bucket
- S3 Bucket Inventory
- S3 Bucket Object
- SageMaker Feature Group
- SNS Topic
- SQS Queue
AWS resource with Network Access analysis
AWS resource with Encryption analysis
Errors
This tab displays the policies, vulnerabilities or code errors found in a selected resource.
For open source resources, select a vulnerability from the drop-down menu to display data such as CVE ID, fix version, risk factors, and more.
You can also select a non-compliant license (if found) from the same drop-down and view its details, such as the license type and additional data.
For build integrity or IaC resources, the Errors tab displays the misconfigured code excerpt (only from the default branch).
Note
1, Automated fix suggestions are not available for errors in custom policies. For such errors, you can only select a manual fix.
- Automated fix suggestions are only available for some out-of-the-box policies. Click See policy documentation to read the error description and the suggested fix, if available.
An out-of-the-box policy with an automated fix suggestion
History
A timeline of resource events: scans initiated, errors detected, resource modifications, etc. You can click on each historical event to expand it and view its full detail.
The following events are supported in the History display (for IaC and runtime resources only):
| Event | Event Title | IaC Resource | Runtime Resource |
|---|---|---|---|
| Initial Scan | When the first resource scan was conducted and which properties were detected | ✔ | ✔ |
| Resource Modified | Which resource properties were updated and when it was detected | ✔ | ✔ |
| Compliant | When the policy was first detected as compliant for a single policy | ✔ | ✔ |
| Fix PR Created | When a Pull Request for code fix was submitted (for a single policy) | ✔ | ❌ |
| Error Remediated | When a runtime incident was remediated by Bridgecrew’s playbook | ❌ | ✔ |
| Jira Issue Created | When a Jira issue was created for a single error | ✔ | ✔ |
| Error Suppressed | When a specific code error was suppressed | ✔ | ✔ |
| Error Detected | When a specific code error was first detected | ✔ | ✔ |
| Drift Detected | When a specific code drift was first detected | ✔ | ✔ |
| Error Fixed | When a specific code error was fixed | ✔ | ❌ |
Traceability
Traceability tags connects build time (IaC) and runtime resources. They allow the user to locate run time resources that were deployed by a specific build time resource, detect drifts from IaC templates and trace the differences between cloud and code. Resource tagging can be done manually, automatically (using Yor), or by using the Bridgecrew tagging bot (Via Yor). See the Traceability for more information.
The Traceability tab in the Resource Explorer pane displays for each build time resource details of the runtime resource it deploys. Clicking the Resource link directs the user to the relevant runtime resource, and vice-versa (You need to select the Traceability tab again to see the change).
Traceability information for runtime and build time resources
Resource Dependencies
For some resources, a list of dependencies is displayed under Details:
- Depends on - names of resources that the current resource configuration refers to and the specific property (or properties) that creates the dependency.
- Dependants - names of resources that their configuration refers to the current resource and the specific property (or properties) that creates the dependency.
Note
For packages, only direct dependencies are listed.
An AWS EC2 resource with a list of dependencies
Updated 7 months ago