Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Manage Vulnerabilities allows you to perform the following tasks:
Enable or disable vulnerability scanning for a repository to refine scanning report of the project.
Auto enabling repositories for scanning vulnerabilities.
You can enable or disable a repository for vulnerability scanning in PCC from the Manage Vulnerabilities tab. If you enable a repository for vulnerability scanning, the repository is scanned for the vulnerabilities. If you disable the vulnerability scanning for a repository, the scanning will be skipped for the selected repository and vulnerabilities are not detected.
To enable or disable a repository for vulnerability scan, perform the following steps:
1.Login into PCC.
2. Search for the required project. The Project dashboard appears. Click Security from the LFX Tools tab.
You can also navigate to Security from the Vertical Sidebar navigation menu. Click LFX Tools and then select Security.
3.The Security page appears. Click Manage Vulnerabilities tab, all repositories of the project are listed in alphabetical order.
4.Under Scan Vulnerabilities tab, toggle scan button to enable or disable a repository from scanning.
You can also enable or disable scanning for all repositories by toggle of Scan Vulnerabilities.
5. Under Last Scan Results tab, you can see whether the repository scan has been successful or failed while scanning the repository.
When the scan of the repository is successful, it is displayed as Successful and if there are any errors, it will be displayed as Failed.
You have an option to auto enable scanning of repositories for vulnerability scanning when a new repository is added in the GitHub project. When you select the Auto enable option, all new repositories are scanned for the vulnerabilities.
You can the Auto Enable New Repositories toggle button to set the auto scanning of the new repositories. This button is available in the Manage Vulnerabilities tab.
The LFX Security tool provides automated vulnerability scanning and provides visibility into potential vulnerabilities to help projects address top security concerns.
The Security service tool allows you to perform the following:
GitHub Onboarding
Manage Vulnerabilities
Manage False Positives
Manage Inclusive Naming
For more information on Security Services, visit Security Documentation.
Manage false positives allows you to define few parameters and assign values to them which can be used to signal false positive at the time of scanning for code secrets. When you define a parameter as a false positive, you can easily detect these
PCC Security tool allows you to add a false positive parameter which allows the
To add a false positive pattern, perform the following steps:
1.Login into PCC.
2. Search for the required project. The Project dashboard appears. Click Security from the LFX Tools STATUS tab.
You can also navigate to Security from the Vertical Sidebar navigation menu. Click LFX Tools and then select Security.
3.The Security page appears. From the Manage False Positive tab, click Proceed.
4.The Manage False Positive page appears with the list of defined false positive parameters. Click Add False Positive Pattern to add a new false positive parameter.
5.The Add False Positive Pattern dialog box appears. There are three parameters that are available for you to select and define. After defining the parameter, click Add to add the parameter as false positive. The three parameters are:
Path - Define the path for which you want to flag
Secret Type - You can select the required secret type from the drop-down list. Some of the secret types are password assignment, JWT toke, AWS key and many other secret types are available for your to select.
Secret Value - You should use a regular expression in order to define a value for Secret Value.
A regular expression (regex or regexp) is a sequence of characters that specifies a search pattern. Usually such patterns are used by string-searching algorithms for "find" or "find and replace" operations on strings, or for input validation. For more information, refer Regular Expressions.
Onboarding projects into LFX Security is done from the PCC (Project Control Center). As part of this onboarding, a Security Bot is installed on GitHub Organizations of the project.
To setup the Security service using PCC, perform the following steps:
1.Login into PCC.
2. Search for the required project. The Project dashboard appears. Click Security from the LFX Tools dropdown menu.
You can also navigate to Security from the Vertical Sidebar navigation menu. Click LFX Tools and then select Security.
4.Enter the GitHub organization name in the Organization Name and click Connect.
Make sure that you logged into the GitHub.
5.The Install Security Bot on GitHub.org instructions page appears. You can read the instructions on how to install the Security Bot from this page. Click Install Security Bot button.
6. A list of GitHub organizations associated with the login account are listed and displayed. Select the required organization for which you want to install the Security bot.
7.The Install & Authorize LFX Security GitHub App page appears. This page provides the following information:
Information on the permission requested for the selected repositories. The LFX Security requests the following permissions from the GitHub:
Read access to administer, code, check commit status, lookup members, and other metadata.
Read and write access to organization hooks, pull requests, and repository hooks.
Installing and authorizing LFX Security GitHub App grants these permissions on your account:
Read access to emails
Access to the repositories. You can either provide access to all the repositories or selected repositories within the GitHub Organization.
Click Install & Authorize to install the LFX Security GitHub App.
8.The LFX Security Service GitHub app is installed successfully. You can see the installation success message.
You will also receive an email after successful installation of the LFX Security GitHub App.
9.In the PCC page, you need to click I'm Done Installing the Security Bot after completing the installation process.
10.You can see the list of GitHub organizations along with the repositories for which the Security bot has been successfully configured.
A green dot present with the GitHub organization name indicates that the Security bot is successfully installed.
You can uninstall the security bot at any point of time from the PCC. When you uninstall the security bot, the security scanning for the GitHub organization is discontinued. You cannot see the vulnerabilities associated with your GitHub organizations.
To uninstall Security service from PCC, perform the following steps:
1.Login into PCC.
3.The Uninstall Security Bot on GitHub.org instructions page appears. You can read the instructions on how to uninstall the Security Bot from this page. Click Uninstall Security Bot button.
4.The LFX Security GitHub App opens in a new tab. Click Uninstall from the Danger Zone.
You can uninstall the Security bot from all the repositories associated with your GitHub organization by selecting All Repositories or select specific repositories for which you want to uninstall the Security bot by selecting Only Select Repositories.
5. A pop message appears informing that the Security bot will be uninstalled for the selected repositories. Click OK to continue with the uninstallation process.
6.In the PCC page, you need to click I'm Done Uninstalling the Security Bot after completing the uninstallation process.
7.The GitHub repositories will be removed from the Security dashboard. But, you can see the GitHub organization name in the Security dashboard.
A red dot present with the GitHub organization name indicates that the Security bot is successfully uninstalled.
8.If you want to remove the GitHub organization completely from the Security dashboard, click Disassociate Organization.
9.A popup message appears informing that the GitHub organization will be disassociated. Click Disassociate to continue with the disassociation process.
You have an option to suspend the Security service scanning without uninstalling the Security bot. When you suspend the Security service, the bot will not be uninstalled. You can revoke the suspension at any point of time by Unsuspending.
To suspend the Security service, perform the following steps:
1.Login into PCC.
3.The LFX Security GitHub App opens in a new tab. Click Suspend from the Danger Zone.
4.A popup message appears informing that the Security bot will be suspended. Click OK to continue with the suspension process.
5.The GitHub repositories are suspended from the Security dashboard.
A orange dot present with the GitHub organization name indicates that the Security bot is suspended.
You can associate an individual repository to a project. PCC allows you to select an individual repository and allows you to assign it to a project.
To associate an individual repository, perform the following:
1.Login into PCC.
2.Select the required project and click Security from the LFX Tools dropdown menu.
Make sure you see Security bot configured status under Configuration Status column. You can only select the required repository if the security bot is configured. \
If the status shows as Security bot not configured, you cannot select the repository.
3. Select the required individual repository from the Assigned to Project column that you want to assign to the project.
You can add the words which depict people unfairly in an insulting manner and exclude people based on their ethnicity, gender or color. LFX will scan for these non inclusive words in the code. You refer Non Inclusive Language section for more information.
To add non inclusive words, perform the following steps:
1.Login into .
2. Search for the required project. The Project dashboard appears. Click Security from the LFX Tools STATUS tab.
You can also navigate to Security from the Vertical Sidebar navigation menu. Click LFX Tools and then select Security.
3.The Security page appears. From the Manage Inclusive Naming tab, click Proceed.
4.Enter the non inclusive word in the Add word box and click +Add. The added non inclusive words are listed under NON-INCLUSIVE LANGUAGE.
To delete a non inclusive word, perform the following steps:
2. The Delete Keyword dialog box appears. Click Delete to confirm the deletion of the word.
A regular expression (regex or regexp) is a sequence of characters that specifies a search pattern. Usually such patterns are used by string-searching algorithms for "find" or "find and replace" operations on strings, or for input validation.
The below tables assists you on how to use different regular expressions:
In certain scenarios, if the administrator wants to ignore specific secret types, secret values, or paths, they can do so by creating an ignore.yaml file. On creating the ignore.yaml file, the file should be placed into the root directory of the repository, within a .blubracket folder.
When a match of the ignore file is made, an alert will not be created (but an event will still be generated).
For example, below is a repository called Test1, which has a .blubracket folder and within the folder is the ignore.yaml file.
A sample .blubracket/ignore.yaml is provided below:
The fail scan details for the repository such as time and date of the is displayed when you click the icon.
The fail scan details for the repository such as time and date of the is displayed when you click the icon.
You can delete the existing false positive parameter by click of delete icon.
You can update the existing false positive parameter by click of edit icon.
3.The Security page appears. From the GitHub Onboarding tab, click the icon available next to Connect.
2. Search for the required project. The Project dashboard appears. Click Security from the LFX Tools dropdown menu. The GitHub organizations are listed. Select the settings icon and click Disassociate GitHub Org.
2. Search for the required project. The Project dashboard appears. Click Security from the LFX Tools dropdown menu. The GitHub organizations are listed, select the settings icon and click Configure Security Bot.
To revoke the suspended Security service, click settings icon and click Configure Security Bot and click Unsuspend from the Danger Zone.
1.From the Manage Inclusive Naming tab, click icon that you want to delete from the list.
Content Credit from .
Character | Explanation |
. | Anything. Any character except newline |
a | The character a |
ab | The string ab |
a|b | a or b |
a* | 0 or more a's |
\ | Escapes a special character |
Character | Explanation |
* | 0 or more |
+ | 1 or more |
? | 0 or 1 |
{2} | Exactly 2 |
{2, 5} | Between 2 and 5 |
{2,} | 2 or more |
Character | Explanation |
(...) | Capturing group |
(?P<Y>...) | Capturing group named Y |
(?:...) | Non-capturing group |
(?>...) | Atomic group |
(?|...) | Duplicate group numbers |
\Y | Match the Y'th captured group |
(?P=Y) | Match the named group Y |
(?R) | Recurse into entire pattern |
(?Y) | Recurse into numbered group Y |
(?&Y) | Recurse into named group Y |
\g{Y} | Match the named or numbered group Y |
\g<Y> | Recurse into named or numbered group Y |
(?#...) | Comment |
Character | Explanation |
[ab-d] | One character of: a, b, c, d |
[^ab-d] | One character except: a, b, c, d |
[\b] | Backspace character |
\d | One digit |
\D | One non-digit |
\s | One whitespace |
\S | One non-whitespace |
\w | One word character |
\W | One non-word character |
Character | Explanation |
^ | Start of string |
\A | Start of string, ignores m flag |
$ | End of string |
\Z | End of string, ignores m flag |
\b | Word boundary |
\B | Non-word boundary |
\G | Start of match |
(?=...) | Positive lookahead |
(?!...) | Negative lookahead |
(?<=...) | Positive lookbehind |
(?<!...) | Negative lookbehind |
(?()|) | Conditional |
Character | Explanation |
i | Ignore case |
m | ^ and $ match start and end of line |
s | . matches newline as well |
x | Allow spaces and comments |
J | Duplicate group names allowed |
U | Ungreedy quantifiers |
(?iLmsux) | Set flags within regex |
Character | Explanation |
Newline |
Carriage return |
Tab |
\0 | Null character |
\YYY | Octal character YYY |
\xYY | Hexadecimal character YY |
\x{YY} | Hexadecimeal character YY |
\cY | Control character Y |
Character | Explanation |
[:alnum:] | Letters and digits |
[:alpha:] | Letters |
[:ascii:] | Ascii codes 0 - 127 |
[:blank:] | Space or tab only |
[:cntrl:] | Control characters |
[:digit:] | Decimal digits |
[:graph:] | Visible characters, except space |
[:lower:] | Lowercase letters |
[:print:] | Visible characters |
[:punct:] | Visible punctuation characters |
[:space:] | Whitespace |
[:upper:] | Uppercase letters |
[:word:] | Word characters |
[:xdigit:] | Hexadecimal digits |
