Understanding your results after integrating Security and Compliance Center with DevSecOps toolchains

With IBM Cloud® Security and Compliance Center, you can automate the evaluation your security and copmliance posture to detect vulnerabilities. By enabling the Security and Compliance Center integration through the use of DevSecOps templates, you can store evidence and monitor your deployments for compliance.

Each Continuous Integration (CI) pipeline run that is performed creates evidence. The evidence includes the details of the operations that are performed and is saved in either a Git repository or Object Storage bucket, known as an evidence locker. By default, a Git repository is used, but if you require the evidence to be more durable - for example, you need a longer lifespan, you can configure a Object Storage bucket. Similarly, the Continuous Delivery (CD) pipeline collects evidence that provides an audit trail of the tasks performed that pertain to acceptance tests, change requests, and more. Most importantly, the Continuous Compliance (CC) pipeline writers an aggregation of all of the individual evidence fragments to an evidence summary when your deployment is complete. When validation tests are run against pipeline data, you can verify that your various best practices are carried out as part of the application deployment process.

Before you begin

Before you can view the results that are generated by Security and Compliance Center, be sure that you have the following prerequistes.

The needed level of access to view and interact with the results in Security and Compliance Center. To view results, you must have Reader access to the Security and Compliance Center service.
A configured pipeline. For help configuring your pipeline to work with Security and Compliance Center, see Configuring Security and Compliance Center.

Viewing results

To view the results of the compliance evaluation that is completed by Security and Compliance Center, you can visit the Security and Compliance Center dashboard.

Figure 1. Security and Compliance Center dasboard view

When the DevSecOps pipelines interact with Security and Compliance Center, the information is gathered in two different ways. It is either pushed or pulled by Security and Compliance Center into the dashboard for you to see.

Pull data model

When a CI/CD pipeline is run, an evidence summary is created and named summary.json. is forwarded to an evidence locker or a repository. Each entry in the summary is mapped to a control in Security and Compliance Center.

Based on the schedule that is set when an attachment is created in Security and Compliance Center, the service pulls the information summary from the locker to perform an evaluation and then presents the results in the Security and Compliance Center UI.

Push data model

Each time that a CD/CC pipeline with a valid integration is run, an evidence summary is generated and forwarded to the Security and Compliance Center service. The information is evaluated by the service and presented in the Security and Compliance Center dashboard. \n From the dashboard, click the profile that you want to view results for. Then, select the Resources tab. From there, click Additional details to view more information such as where to find your supporting documentation. For example, you might see links to pipeline-run evidence summary, toolchain, pipeline-run, or devsec-scc-doc.

Security and Compliance Center additional details view — Figure 4. Security and Compliance Center More Details view

Each piece of information is evaulated against a control and a status is provided. For each control, you are marked as either Compliant or Noncompliant. For individual resources, the status might be Pass or Fail depending on whether the evidence fragment met the control qualification. It could also be Unable to perform. This status can be returned when an evaluation is attempted but there isn't any corresponding evidence to evaluate; a task might have been removed or skipped in the CI pipeline or a deployment is performed by using the CD EMERGENCY to override evidence failures.

Example control dashboard:

Example resource dashboard:

While it is possible to deploy an image with imperfect validations, they will be reported on inspection in Security and Compliance Center.

Next steps

To explore toolchains in Security and Compliance Center, you can learn about managing scopes in the Security and Compliance Center documentation.