Scan Lab Overview¶
Scan Lab, accessible via App Central, allows you to view Scan Results. You also can resolve or justify Common Vulnerabilities and Exposures (CVEs), address Anchore compliance results, and access the Security team's responses to proposed resolutions.
This guide will walk you through navigation and operation of Scan Lab.
Navigating to Scan Lab¶
In App Central, you will see a table titled Components that lists all of your containers. To reach Scan Lab, you must select the number under the Vulnerabilities column.
Scan Lab displays a collection of all vulnerabilities detected by our scanning software. Each component of your application has a corresponding Scan Lab with scan results.
Scan Lab displays the following three buckets.:
|This list contains the vulnerabilities you addressed, and how you addressed them. A justification is your explanation of how you mitigated the vulnerability.|
|This list contains vulnerabilities that you mitigated by removing or upgrading the package or library triggering each vulnerability.|
Remediations and Justifications are deemed Resolutions, as they provide insight into how you mitigate vulnerabilities.
Common Vulnerabilities and Exposures¶
CVE scan results produce Low, Medium, High, and Critical severity levels. This designation is associated with each vulnerability as determined during the scanning process.
FAQ: When can I expect scan results for my app?
Once you are granted access to your Harbor Repository, you can push your containerized images. Our pipelines will automatically run these images through our security scanning tools and populate Scan Lab with the results. The scanning time varies by the image. If scan results fail to populate after you have pushed your image, inform our team by submitting a Support Ticket.
Scan results are organized as line items, each providing the severity level, the due date, the CVE identifier, and the package the CVE was detected in. Each line item also indicates whether the vulnerability is unresolved (exclamation mark), resolved, or new.
CVE due dates and New status
CVE due dates will not come into play until after your app has been deployed to production. We continually scan apps deployed to Game Warden's production environments and sometimes new vulnerabilities are surfaced, hence the New tag that may appear on Scan Lab line items. For more information on the timelines involved with these due dates, see the Acceptance Baseline Criteria.
Selecting the checkbox for a line item opens a window to the right of the scan results. This window gives details on the vulnerability along with a link to see more information about that CVE. This window also provides a drop-down menu to select a resolution. Selecting the information bubble above the drop-down menu provides amplifying information on which resolution to select.
Once you have made your selection, you will be prompted to write a comment for elaboration. When finished click the SUBMIT CHANGES button to save your progress. Once you save your update, the vulnerability line item you reviewed moves to the Remediations or Justifications list, contingent upon your decision.
You can select more than one CVE at a time to bulk submit resolutions.
To submit your resolutions to the Game Warden team, click the ASK FOR SECURITY REVIEW button. Our Security team can approve or deny your decision. You DO NOT need to wait to resolve all your security findings at once - they may be submitted individually, in groups, or all together as you work your way through the list.
View our Common Vulnerabilities and Exposures Frequently Asked Questions for additional helpful information.
Anchore Compliance Results¶
Anchore compliance results reveal Department of Defense (DoD) compliance issues within an application. Anchore compliance results are based on the National Institute of Standards and Technology (NIST) 800-53 compliance policies that are required for the DoD. You must remediate or justify these findings as you would remediate or justify standard CVEs. The compliance result severity types are as follows:
- Go – Okay to Proceed, similar to a Low vulnerability.
- Warn – Issue a warning, similar to a Medium vulnerability.
- Stop – Critical error that should stop the deployment by failing the policy evaluation, similar to a High vulnerability.