Vulnerabilities View

The Vulnerabilities View (or Application Summary View) provides you with a visual way to review the vulnerabilities identified by ShiftLeft on a per-application basis.

Viewing the Vulnerabilities Present in a Specific Application

The ShiftLeft UI allows you to view vulnerabilities on a per-application basis. From the list of applications associated with your account, select one to be taken to its Vulnerabilities view. By default, ShiftLeft will show you an overview of the most recent scan.

Vulnerabilities

For each application, ShiftLeft displays high-level information, including:

A visual Version History that shows the breakdown of vulnerability types present in the last ten versions of the application you submitted to ShiftLeft, as well as numeric breakdowns of how many vulnerabilities were found and what types.

You'll also see a comparison of the number of vulnerabilities found in the current version as compared to the number that was found in the previous version (if applicable).

Vulnerability Summary

You can click on the Critical, Moderate, or Info boxes to see a list of vulnerabilities of that type in your most recent application. You can also use the Vulnerabilities and the Secrets icons to access lists of your vulnerabilities.

Scan Details

By clicking on Scan Details, you can see descriptive information about your scan that's helpful especially for issue resolution, including:

  • The version ID of the scan
  • The binary size of the application (or, for select languages like JavaScript, the number of files and number of lines of code)
  • The access token used to initiate the scan
  • The specific sl analyze invocation used to initiate the scan
Vulnerability Summary

Displaying Results by Version or Branch Tag

To the right of the Application Name are drop-down menus that say All Branches or the version ID. If you have submitted multiple versions of your application, including those you've tagged with branch names, you can use these toggles to view version/branch-specific information.

Viewing Detailed Vulnerability Information

Once you've identified a vulnerability of interest, you can get additional information by clicking on it. This will get you information about:

  • Where in the code the vulnerability may be found
  • Any relevant data flows
  • A description of the issue, as well as links to additional helpful information
  • Suggestions for countering the vulnerability
  • Status history
Detailed Vulnerability Info

You can get a URL that links to this issue by clicking on the Link icon located to the top-right of the Vulnerability Info panel.

Acting on Vulnerabilities

ShiftLeft allows you to act on identified vulnerabilities. You can:

  • Click on the User icon to assign the vulnerability to a specific user for follow-up
  • Mark the vulnerability as Fixed
  • Indicating that ShiftLeft should Ignore the vulnerability

Focused View

You can click the Pop-Out button located to the top-right of the Vulnerability Info panel to bring all of this information into a focused view.

Vulnerability Pop-Out View

Note that the URL displayed in the pop-out is unique to this vulnerability for this application, so you can use it to refer to this specific instance (e.g., for a referral to a colleague, to link to the issue in a project management suite, etc.).

Trends in Findings

The ShiftLeft Dashboard includes a section called Findings Trends that allows you to compare the findings from one scan of your application against another. With this information, you can identify any trends present, such as increases in new issues or regressions (which is the reintroduction of issues that had been corrected).

By default, ShiftLeft shows you the most recent scan, but you can change this to the version you want to see:

To view the trends in findings, choose the earlier scan version against which ShiftLeft should compare the displayed version. By default, ShiftLeft will compare the scan you're viewing against the scan that occurred immediately prior.

ShiftLeft displays five pieces of information in the Findings Trends section:

CategoryDescription
Total FindingsThe total number of findings present in your more recent scan
NewThe number of findings introduced in your more recent scan that was not present in the earlier scan
CommonThe number of findings that are common to both scans
RegressionsThe number of findings identified in an earlier scan that are not present in the previous scan but have been reintroduced in the current scan
FixedThe number of findings that have been fixed between the previous and the current scans

In addition to seeing the number of findings in each category, you can click on the box of your choice to see a full list of relevant findings (e.g., click on the Common box to see a full list of common findings between the scans).

Secrets and Insights

If ShiftLeft detects the presence of Secrets or Insights in your application, it will show the following alerts:

Secrets and Insights

Clicking the boxes will display in-depth information for the Secrets and Insights identified.

Secrets

You can click on the individual line items to get additional detail into the issue found.

Insights

Comments and Status History

When viewing individual vulnerabilities, Insights, or Secrets, you'll see Comments & Status History near the top-left of the detail page. Click to:

  • Read comments written by those in your organization regarding the issue
  • View Status History for the issue
  • Leave comments regarding the issue that others within your organization can view
Comments and Status History