View issues in target baselines over time
The STO Overview enables you to see all detected issues in your main
branches, latest
images, and other target baselines.
Why you should define a baseline for every target
It is good practice to specify a baseline for every target, for the following reasons. To define your baselines, go to Security Tests (left menu) > Test Targets. Each target has a Baseline for Comparison menu.
For developers, it’s critical to distinguish between security issues in the baseline vs. issues in the variant you’re working on. Thus if you’re working in a downstream branch, you want to detect and resolve issues in your branch (the variant) before merging, so you don’t introduce them into the main branch (the baseline).
When you scan a variant of a target with a baseline defined, the scan results make it easy to identify issues in the variant only (“your” issues) vs. issues also found in the baseline.
The STO Overview and Security Testing Dashboard show detected issues for targets with baselines defined. While individual scan results focus on variant issues, these views focus on baseline issues. These views enable security personnel and other non-developers to monitor, investigate, and address issues in production-ready targets and view vulnerability trends over time.
In short, defining a baseline makes it easy for developers to drill down into “shift-left” issues in downstream variants and security personnel to drill down into “shift-right” issues in production targets.
To see all target baselines in the project, go to Security Tests > Test Targets. To see detected issues in a non-baseline target, such as a feature or developer branch, go to the build results for that target and click Security Tests.
This view has has the following components:
- Issue distribution over time — Shows the daily distribution of all detected baseline issues by severity.
- In this context, "daily" means from midnight GMT to midnight GMT.
- The STO deduplicates issues with the same root cause. Suppose codebase A (main branch) and codebase B (main branch) contain the same vulnerability inherited from the same open-source library. In this case, STO combines them into one issue.
- Today's Snapshot — Shows all issues detected in the most recent scans of each target baseline in the project.
- Suppose the most recent baseline scans ran this morning (codebase A), last week (image B), and two weeks ago (host C). In this case, the snapshot values are based on all baseline issues detected in all three scans.
- Target Baselines — Shows the most recent scan for each target baseline in the project.
- Failed Builds — Shows the most recent failed builds that included scans of target baselines.
- Active Builds — Shows active builds that include scans of target baselines.