IBM Cloud Docs
Understanding your results after integrating Security and Compliance Center with DevSecOps toolchains

Understanding your results after integrating Security and Compliance Center with DevSecOps toolchains

With IBM Cloud® Security and Compliance Center, you can automate the evaluation of your security and compliance posture to detect vulnerabilities. By enabling the Security and Compliance Center integration by using DevSecOps templates, you can store evidence and monitor your deployments for compliance.

Every Continuous Integration (CI) pipeline run creates evidence. The evidence includes the details of the operations that are performed and is saved in either a Git repository or Object Storage bucket, which is known as an evidence locker. By default, a Git repository is used, but if you require the evidence to be more durable - for example, you need a longer lifespan, you can configure a Object Storage bucket. Similarly, the Continuous Delivery (CD) pipeline collects evidence that provides an audit trail of the tasks performed that pertain to acceptance tests, change requests, and more. Most importantly, the Continuous Compliance (CC) pipeline writers an aggregation of all of the individual evidence fragments to an evidence summary when your deployment is complete. When validation tests are run against pipeline data, you can verify that your various best practices are carried out as part of the application deployment process.

Before you begin

View the results that are generated by Security and Compliance Center to ensure that you meet the following pre-requisites:

  • The level of access needed to view and interact with the results in Security and Compliance Center. To view your results, you must have Reader access to the Security and Compliance Center service.
  • A configured pipeline. For help with configuring your pipeline to work with Security and Compliance Center, see Configuring Security and Compliance Center.

Viewing results

To view the results of the compliance evaluation, refer to Security and Compliance Center dashboard.

Security and Compliance Center dasboard view
Security and Compliance Center dasboard view

When the DevSecOps pipelines interact with Security and Compliance Center, the information is gathered in two different ways. Security and Compliance Center pushes or pulls the information into the dashboard accordingly.

Pull data model

: When a CI/CD pipeline runs, an evidence summary is created and named summary.json. This evidence summary is forwarded to an evidence locker or a repository. Each entry in the summary is mapped to a control in Security and Compliance Center.

CD evidence summary task
CD evidence summary task

Based on the schedule that is set when an attachment is created in Security and Compliance Center, the service pulls the information summary from the locker to evaluate and present the results in the Security and Compliance Center UI.

Toolchain controls
Toolchain controls

Push data model

Each time that a CD/CC pipeline with a valid integration is run, an evidence summary is generated and forwarded to the Security and Compliance Center service. The service evaluates and presents in the Security and Compliance Center dashboard. \n From the dashboard, click the profile that you want to view results for. Then, select the Resources tab. From there, click Additional details to view more information such as where to find your supporting documentation. For example, you might see links to pipeline-run evidence summary, toolchain, pipeline-run, or devsec-scc-doc.

Security and Compliance Center additional details view
Security and Compliance Center More Details view

Each piece of information is evaulated against a control and a status is provided. For each control, you are marked as either Compliant or Noncompliant. For individual resources, the status might be Pass or Fail depending on whether the evidence fragment met the control qualification. It might also be Unable to perform. This status can be returned when an evaluation is attempted but there isn't any corresponding evidence to evaluate; a task might have been removed or skipped in the CI pipeline or a deployment is performed by using the CD EMERGENCY to override evidence failures.

Example control dashboard:

Validation by control
Validation by control

Example resource dashboard:

Validation by resource
Validation by resource

While it is possible to deploy an image with imperfect validations, they are reported on inspection in Security and Compliance Center.

Next steps

To explore toolchains in Security and Compliance Center, you can learn about managing scopes in the Security and Compliance Center documentation.