Skip to main content

View scan results - Security Tests tab

After your pipeline completes a security scan, you can view the scan results in the Security Tests tab. You can access the Security Tests tab from two locations:

  • Execution History: Select a specific pipeline execution from your pipeline's Execution History.
  • Executions Section: Navigate to the Executions section from the left navigation in the STO module and select a pipeline execution.

Follow these steps to view the scan results:

  1. Navigate to either the Execution History of your pipeline or the Executions section from the left navigation in the STO module.
  2. Select the specific execution that performed the security scan.
  3. Click the Security Tests tab.

The Security Tests tab provides a comprehensive view of all issues detected during the scan.

Understanding issue categories

Issues identified in the scan are categorized as follows:

  • Only in <target>:<variant>: Issues detected only in the scanned variant.
  • Common to <target>:<baseline>: Issues present both in the scanned variant and the baseline.
  • Common to previous scan:
    • Issues found in the previous scan (if no baseline is set), OR
    • Issues found in the previous baseline scan (if the current variant is the baseline).
note
  • For optimal results, define a baseline for each target in STO. See Targets, Baselines, and Variants in STO.
  • Issue categorization (Only in <target>:<variant> and Remediated) relies on the baseline used during the scan execution, which may differ from the current baseline if dynamic baselines based on regular expressions are used. See Dynamic Baselines.

Filtering issues

You can filter issues using multiple criteria in the Security Tests tab:

  • Targets: Filter issues by target name.
  • Target Type: Filter by target type (e.g., repository, container, etc.).
  • Stage: Filter by pipeline stages.
  • Step: Filter by pipeline steps.
  • Scanner: Filter issues by specific scanners.
  • Issue Type: Filter by issue types (e.g., SAST, DAST, SCA, IaC, Secret etc.).

Severity-based filtering

Issues are summarized by severity levels (Critical, High, Medium, Low, Info) as clickable tiles, serving as additional filters. You can select multiple tiles.

The Exempted tile displays the number of exempted issues. Clicking it shows all exempted issues.

Issue list details

Below the filters and severity tiles, you'll find detailed information:

  • Severity: Issue criticality.
  • Issue: Description or name of the issue.
  • Occurrences: Number of times the issue was detected.
  • Status: Issue status (e.g., Remediated, Exempted).

View issue details

Click an issue to open the Issue Details pane. This pane contains two tabs: Overview and Occurrence.

If an exemption applies or was requested for an issue, the Exemption Status at Scan section appears at the top of the pane. Here, you can view exemption details or take actions (Approve, Reject, Re-open) based on your permissions. Learn more in Issue Exemption Workflow.

tip

From the Issue Details pane, you can create Jira tickets using the Create Ticket button (see Create Jira tickets) or request issue exemptions using the Request Exemption button (see Issue Exemption Workflow).

Overview tab

The Overview tab includes:

  • Details: Issue-related information varying by issue type (SAST, SCA, DAST, IaC, Secret).

  • Remediation: Remediation steps from Harness AI and Scanner. If scanning a repository, you can raise PRs or get code suggestions from Harness AI (see Fix security issues using Harness AI).

  • Code Snippet: Code snippet provided by the scanner. Enable Allow Vulnerable Content Extraction in Default Settings if the snippet isn't provided.

  • Issue Raw Details: Raw scanner details.

Occurrence tab

The Occurrence tab lists all issue occurrences with fields varying by issue type. For example, SAST issues include Severity, File Name, and Line Number.

Clicking an occurrence opens the Occurrence Details pane, including:

  • Details: Information based on issue type.
  • Remediation: Steps from Harness AI and Scanner (see Fix security issues using Harness AI).
  • Code Snippet: Provided by scanner or fetched by enabling Allow Vulnerable Content Extraction.
  • Occurrence Raw Details: Raw scanner details.

Use carousel navigation (Next ( > ) and Previous ( < )) to navigate occurrences.