Menu

    Vulnerability Insights - how to provide your data

    Avatar
    Secure Code Warrior Elves
    • Updated
    Follow

    Importing vulnerability scan result data from your vulnerability management tools allows Secure Code Warrior® to unlock significant insights into how your training program is improving your security posture, as well as dynamic training recommendations to hone and target your program.

     

    Importing your vulnerability data

    To import your findings data, you'll need to export it from the relevant tool you are using. In general, we require the following - noting that some fields will have different names or structures depending on the source system:

    Source System Field Notes
    Finding ID We expect 1 row per vulnerability finding
    CWE  
    First Found Date  
    Last Found Date  
    Severity  
    Status  
    Scan Type We typically filter to only SAST findings
    Repo / Application / Project ID We use this to map vulnerabilities to which teams of developers have worked on them.


     

    Importing a Team Mapping file

    In many cases, the Teams that have been set up in your Secure Code Warrior instance might not map cleanly to the Teams (or Groups, or Projects, or Applications, etc) in your vulnerability management tool. In this case, you can provide us with a Team Mapping file, so that we can understand which vulnerabilities in your findings data should be attributed to which groups of users in SCW. This helps us provide more targeted training program recommendations.

    To create a Team Mapping file, just create a CSV with the following columns:

    Column Name Description
    Repository (or Application, or Project, or Group, etc) This column should contain the values from the relevant field in the vulnerability data, that we are going to use to map findings to SCW teams.
    Team Name The corresponding Team from SCW.

     

    Importing your vulnerability data - specific tools

    We have collated below some links to relevant documentation for some common vulnerability management tools. If yours is not listed here, and you need help getting findings data out into the format we expect, you may wish to contact your tool's support team.

    Vulnerability management tool How to export vulnerability findings
    Snyk Issues Detail Report
    Checkmarx Global CSV Result reports
    Armorcode Manage Findings
    Veracode Export data from the Veracode platform
    OpenText / Fortify Data Exports
    Blackduck SRM Generating a Findings report

    Related articles

    Comments

    0 comments

    Article is closed for comments.