View issues in target baselines over time in the Security Testing Overview
The STO Overview enables you to see all detected issues in your main
branches, latest
images, and other target baselines.
Why you should define a baseline for every target
Every target needs a baseline to enable the full suite of STO features. Here's why:
-
For developers, it’s critical to distinguish between security issues in the baseline vs. issues in the variant you’re working on. Thus if you’re working in a downstream branch, you want to detect and resolve issues in your branch (the variant) before merging, so you don’t introduce them into the main branch (the baseline).
-
When you scan a variant of a target with a baseline defined, the scan results make it easy to identify issues in the variant only (“your” issues) vs. issues also found in the baseline. The Security Tests tab divides these issues into two lists:
-
Only in <target>:<variant> Issues found in the scanned variant only.
-
Common to <target>:<baseline> Issues also found in the target baseline.
-
-
The STO Overview and Security Testing Dashboard show detected issues for targets with baselines defined. While individual scan results focus on variant issues, these views focus on baseline issues. These views enable security personnel and other non-developers to monitor, investigate, and address issues in production-ready targets and view vulnerability trends over time.
-
In short, baselines make it easy for developers to drill down into “shift-left” issues in downstream variants and security personnel to drill down into “shift-right” issues in production targets.
To see all target baselines in the project, go to Security Tests > Test Targets. To see detected issues in a non-baseline variant, such as a feature or developer branch, go to a pipeline execution where the variant was scanned and then go to Security Tests.
This view has has the following components:
- Issue distribution over time — Shows the daily distribution of all detected baseline issues by severity.
- In this context, "daily" means from midnight GMT to midnight GMT.
- The STO deduplicates issues with the same root cause. Suppose codebase A (main branch) and codebase B (main branch) contain the same vulnerability inherited from the same open-source library. In this case, STO combines them into one issue.
- Today's Snapshot — Shows all issues detected in the most recent scans of each target baseline in the project.
- Suppose the most recent baseline scans ran this morning (codebase A), last week (image B), and two weeks ago (host C). In this case, the snapshot values are based on all baseline issues detected in all three scans.
- Target Baselines — Shows the most recent scan for each target baseline in the project.
- Failed Builds — Shows the most recent failed builds that included scans of target baselines.
- Active Builds — Shows active builds that include scans of target baselines.