Introducing Projects: Find and fix code security issues faster from a centralized view

At Bridgecrew, our goal is to make finding and fixing infrastructure misconfigurations as efficient as possible. For developers, that means having an intuitive workflow that follows the way code is committed, reviewed, edited, and merged.

Born out of feedback from our customers and our own engineering teams, we’re excited to take another step towards that goal with our newest addition to the Bridgecrew platform—the Projects page.

Now, instead of digging through a long list of misconfigurations across cloud accounts and repositories in the Incidents page, you can find and fix code similar to the way you find and fix code in repositories. The Projects page improves your efficiency and enables faster times to patch with granular search and filtering, intuitive navigation, and a developer-friendly UX. 

Tl;dr, the new Projects page:

  • Is a central view within the Bridgecrew platform for continuously assessing the security posture of code repositories.
  • Displays misconfigurations identified within the main branch of scanned repositories along with detailed information about each misconfigured resource.
  • Allows for filtering misconfigurations by category, severity, or tag to focus on relevant issues.
  • Enables single pull requests to implement multiple fixes at once
  • Exposes an exciting new Bridgecrew use case—vulnerability scanning for container images.

 

Follow your git workflow

We designed the Projects page to follow developer workflows. Just like opening up a repository in your version control system (VCS) and selecting a directory and file to review, our new Projects page groups repositories and directories for easier analysis. Bridgecrew highlights all of the misconfigurations by resource along with detailed information about it, including tags, dependencies, and history.

We’ve also simplified the flow to jump from a resource within your main branch to a specific Code Review. Instead of scrolling through past Code Reviews, you can now go directly to the repository within the Projects page and select your feature branch to navigate directly to its latest Code Review.

 

Narrow in on relevant code

Speaking of better navigation, the Projects page allows you to filter and search through code misconfigurations. You can filter by misconfiguration Category and Severity, as well as by tags if they’re present within your codebase. With free-text search, you can also narrow down your security findings by keywords or tags. 

In combination with tagging protocols and auto-tagging tools like our recently released open-source tool Yor, filtering and search are powerful tools for pinpointing misconfigured code that needs to be addressed. For example, let’s say you identify a misconfiguration, such as an unencrypted storage bucket in your running cloud environment. If it’s been tagged with yor_trace, you can search for that tag in the Projects page and quickly pull up all misconfigurations for that bucket.

Locate the right teammates to get things done

Once you’ve narrowed in on misconfigurations, you need to loop in the right teammates to get things fixed. On the Projects page, we display code block modifiers extracted from git blame to streamline that process easier.

By selecting modifiers in the top right, you can also filter resources down to the ones those developers have modified. Again, this focuses developer attention by highlighting relevant misconfigurations.

Group multiple fixes into single pull requests

Ready to fix straight from the Bridgecrew platform? From the Projects page, you can now group multiple security-as-code fixes into single pull requests. Instead of opening individual pull requests for each misconfiguration, you can now select multiple fixes to be applied in a single pull request back to your VCS, reducing the number of reviews necessary and simplifying the patch process.

Bonus! Identify package vulnerabilities

We’re excited to announce that finding issues in code with Bridgecrew is no longer limited to infrastructure as code (IaC) templates. Bridgecrew now leverages twistcli from Prisma Cloud under the hood to find vulnerabilities in container images. Simply run the Bridgecrew CLI or Checkov with an API key and the mandatory parameters to get image scan results directly in CI outputs or Bridgecrew platform. For example, to scan a basic image of ubuntu run:

checkov --docker-image ubuntu --dockerfil-path /tmp/Dockerfile --bc-api-key $BC_API_KEY --repo-id bridgecrew/ubuntu --branch master

Results include severity, common vulnerabilities and exposures (CVE) ID, package name, risk factors, common vulnerability scoring system (CVSS) scores, and vulnerability published date. Find and patch vulnerabilities in your container images for full stack security.

This is just the beginning! There’s more to come for full-stack security with Bridgecrew.

···

We love working with our community to improve the process of finding and fixing security issues in code. The more we can embed security into developer workflows, the more likely code quality and security will improve. 

Check out the Projects page today!