# Security overview

In order to efficiently work with vulnerabilities in your repositories, you need an overview of all repositories you have along with the vulnerabilities affecting them. Debricked's security tool is one such tool that lets you overview your projects and their security status.

# Repositories view

To get an overview of all your repositories, click on the "Repositories" tab in the sidebar to the left.

Repositories view

In this view, all your repositories are shown, sorted by the amount of vulnerabilities by default. The following columns are available:

  • Name: The name of the repository prepended with the name of the owner (if using integrations to e.g. GitHub).
  • Total vulnerabilities: The total amount of vulnerabilities in this repository.
  • Vulnerability priority: The distribution of vulnerabilities based on their CVSS score.
  • Review status: How many vulnerabilities that are vulnerable, unexamined, and unaffected.
  • Total vulnerabilities with exploits: The total amount of vulnerabilities that have at least one known exploit.

# Vulnerabilities in a repo

To show all vulnerabilities in a specific repository, click on the repository name. This will show you a view specific for that repo.

Repo vulnerabilities

In this view, you get detailed information regarding the vulnerabilities discovered in your repository:

  • Name: The vulnerability name, which is usually a CVE identifier.
  • Discovered: The date at which the vulnerability was discovered in your code/repository.
  • CVSS: The CVSS score for this vulnerability.
  • debAI: Debricked's intelligent AI for ranking vulnerabilities based on your own security preferences, along with other metrics.
  • Dependencies: In which dependency the vulnerability was discovered.
  • Review status: Whether the vulnerability is known to be vulnerable, unaffected, or unexamined.

To see all commits related to this repository, or all related dependencies, click one of the tabs highlighted in the image below.

Repo vulnerabilities tabs

# Vulnerability details

To get detailed information about a specific vulnerability in a repo, click on the vulnerability ID, CVE-2021-25949 in this case.

In this view, we present links to advisories, such as NVD and GitHub along with a summary of the severity.

Vulnerability details 1

Further down, we present where the vulnerability was introduced. We show the file(s) in which the vulnerability was found, and also through which dependencies it was introduced.

Under "Vulnerable dependency", we show which versions are vulnerable and, if possible, which versions that are safe.

Vulnerability details 2

At the bottom, we show the breakdown of the CVSS scores. That is, the metrics behind the CVSS scores. We show both CVSS2 and CVSS3 scores when possible, but CVSS3 should be preferred.

Finally, we present a list of external references where you may find information about remediations, patches, real-world exploits, as well as documentation from issue trackers.

Vulnerability details 3

# Vulnerabilities view

To get an overview of all vulnerabilities found in all scanned repositories, click on the "Vulnerabilities" tab in the sidebar to the left.

All vulnerabilities

This view is similar to the view for a specific repository, but here we include all vulnerabilities found in all your repositories.

# Dependencies view

To get an overview of all imported dependencies, including indirect dependencies, click on the "Dependencies" tab in the sidebar to the left.

Dependencies view

In this view, you are presented with a list of all dependencies found in all scanned repositories. It includes details such as:

  • Name: The name of the dependency.
  • Total vulnerabilities: The amount of vulnerabilities this dependency accounts for.
  • Vulnerability priority: The distribution of CVSS score for this dependency.
  • Review status: How many vulnerabilities that are vulnerable, unexamined, and unaffected.
  • Licenses: Under what license this dependency is released.
  • Popularity: The popularity score for this dependency.
  • Contributors: The contributor score for this dependency.

# View indirect dependencies

To also see the indirect dependencies, click on the "Show indirect" button at the top. The indirect dependencies will be marked with an "I" in the "Name" column, to make it easier for you to differentiate them.

Dependencies view indirect