Repository Scan Reports

Repository scan reports provide deep insights on the performance of different repositories containing configuration files.

Onboarding Repositories

Onboarding of repositories helps adding of repositories containing configuration files for scanning and view the scanned reports through the Nirmata Policy Mananager. Repositories from GitHub, GitLab, and BitBucket can be scanned.

To onboard a repository with Nirmata:

  1. Go to Menu>Repositories. The repositories page with the listed scanned repositories is displayed. The page shows the repository names, their last scanned status, the branches available within them, the type, and the number of files present within the repositories.

image

  1. Click on the Adding Repositories with nctl button located on the right hand top corner of the screen. It will display the repositories onboarding page. This workflow requires nctl. Refer to the documentation for installation.
  2. The repositories onboarding page requires the repository details. Enter the URL of the repository to be scanned under Repository URL and labels under Labels. Labels are optional but it should be entered in a key-value manner. Clicking on the + button will help add multiple labels.
  3. After entering the repository details, scroll down to click on the Scan Repos with Compliance Standards button to proceed to the next step.

image

  1. Select the Nirmata curated policies with which the repository needs to be scanned by clicking on the toggle switch beside them. The set of policies are grouped under Kubernetes, Docker, and Terraform. Click on each of them to see the further profiling of policies and select the ones based on the needs.
  2. The repository can be scanned with your own set of policies (if own any). In that case, enter the repository file or directory URL beside Policy file or directory.

image

  1. After selecting the polices for scanning, click on the Repo Scan Commands button to proceed to the final step.
  2. The nctl commands required to scan the repository are shown in the final step based on the selection. Copy and run the commands in the shell/terminal to perform the repository scan and publish the reports in NPM.

image

Note: While using the nctl login command, if the token is not auto generated, visit the profile page and click on Generate API Key button to generate the token.

  1. After successfully running the commands, click on the Done button to complete the onboarding process. The onbarded repository will now be seen under the list of scanned repositories.

Publishing Repository Scan Results to NPM

Admin User

Login to the NPM tenant with the user’s API Key.

nctl login --url https://nirmata.io --userid admin@acme.corp --token <admin-api-key>

Clone the repository locally.

git clone https://github.com/nirmata/nctl-shift-left

Run the repo scan command

nctl scan repository ./nctl-shift-left --policy-sets pss-baseline

DevOps User

Login to the NPM tenant with the user’s API Key.

nctl login --url https://nirmata.io --userid user@acme.corp --token <user-api-key>

Clone the repository locally.

git clone https://github.com/nirmata/nctl-shift-left

NOTE: A DevOps user can publish scan reports to NPM only if they belong to a team that has permission to publish scan results. Please contact Admin user for granting permission.

Run the repo scan command

nctl scan repository ./nctl-shift-left --policy-sets pss-baseline --publish-token <team-repo-publish-key>

NOTE: All users belonging to the team will be able to view the repository scan results.

The scan reports are generated after the results from Github scan action gets pushed to NPM.

Viewing Repository Scan Reports in NPM

To view the scan reports:

  1. Go to Policies>Policy Reports. The Policy Reports can be viewed based on Categories, Clusters, Namespaces, and Repositories.
  2. Click on the Repositories tab to get a list of the available repositories. The information related to the repositories are displayed with the type and number of files present within, the grade obtained, and the status of the repository with the number of Failed, Warning, Passed, Error, and Skipped.

image

  1. Click on any of the repositories to view the list of findings under the Findings tab. The findings are displayed with information related to Impact (File Types and # Files), and Status (%Pass or Fail). The page also shows the repository status with the overall grade, % Pass, and Fail.
  2. To view the findings on different available branches of the repository, change the branch by clicking on the All Branches tab on the top of the screen. Filter the violations according to severity by clicking on the Severity tab located beside the search bar. Click on the Filter File Type tab to filter the type of file with which the violation is associated.

image

  1. Now, click on any of the findings to view the details of the finding. The details contain violation and policy information as the policy name, rule name, severity of the violation, and other metadata. The page also lists the impacted files associated with the violation, their branch name, and status.

image

  1. Go back to the previous page and click on the Files tab to view the list of impacted files. The files are listed with information detailing the Status of the file with Failed, Warning, Passed, Error, and Skip and the number of violations that has impacted the file. The files can be viewed in different branches of the repository and can be filtered according to the type and status of the file.

image