Triage Issues

Triaging issues is a day to day routine. You know the drill: you get notified of an incoming issue, you take a look at it, understand what's it about and decide how to handle.
You might assign it to the relevant person, ignore it because it's intentional, create a ticket in your favorite ticket management system (Jira, Monday etc) or best of all - simply resolve it 👍
Another scenario is scanning a new asset and sifting through multiple findings.
SpectralOps strives to provide you with the best experience handling both of these scenarios. We make it easy to overview all your assets while focusing on the most important things. Let's take a look at how to work this out in SpectralOps:

Assets

Assets page provides a way to overview, filter and sort your assets. You'll find some high level info about what's important in each asset. Drilldown to an asset to review its issues.

Assets overview

IaC findings focus

Asset page

Asset page provides details about a single asset. You'll find the asset's issues grouped into relevant tabs.

Secrets
Sprawl tab allows you to explore secrets that appear in multiple locations across your assets & infrastructure.
Sprawl - secrets that appear more than once in your assets

IaC

Scans History

A closer look at issues

Detectors & Playbooks

An issue's detector represents a concrete problem in your asset. For example, CLD001 (this is the detector ID, see it by hovering the description) is a detector from the cloud detector category and means that you have a Visible AWS Key.

Most of the detectors have a playbook to help you give you more details and help you remediate. Clicking on the detector name will take you to its playbook.
We also include links for the different CWE and other articles and make sure your developers are well educated and have a good understanding of the issue and how to resolve it.
For quick info you can check out the "show more info" section.

Click it and see the playbook!

Severity

Prioritizing application security issues is one of the most challenging tasks. We try to simplify it by providing a few different severities to enable you to prioritize the other issues.

  • Critical: An asset is compromised. An action is required immediately.
  • High: May lead to a potential risk. An action is required immediately.
  • Medium: A potential security risk exists. An action is required, within a reasonable time period.
  • Low: There is no security or infrastructure risk. It is advised to take an action, as per best practices.
  • Informational: There is no security or infrastructure risk. Administrator awareness is advised.

You can change any of the detector severity. This will affect all the issues with the same detector type across all assets.
Hover over the severity to change it

Content

Spectral automatically classifies issues based on their context so you can be more productive and focus on the issue, which creates the most significant risk.
SpectralOps will classify each of the findings as one of code/infra | examples | docs | tests.
code /infra are the most common asset engineers produce and have the highest probability of becoming a significant threat.
Tests are part of the project and may contain real keys, but they should have lower priority from our experience.

While examples/docs/tests have lower priority, we noticed that human mistakes also reproduce those assets, and you should validate them before ignoring them.

This issue is from code or infra

Jump into action

OK, so what can we do with issues? Several courses of action:

Ignore

An Ignored Issue is an issue you and your team decided not to invest efforts in fixing. Spectral provides three options for ignoring an issue:
Won’t fix - this is a type of issue you and your team decided isn’t critical enough or something you don't mind leaking.
False/Positive - Spectral discovered an issue, but it’s not a secret. Be sure to attach a comment explaining why it's a false possitive, it helps us get better!
Snooze - put it on hold for a period of time.

In all the above cases, once an issue is ignored, you won’t get any notifications about it, and SpectralOps will filter those issues from view, unless you explicitly change the filtering to show ignored issues.

Resolve

If an issue has been handled in the code and you want to mark it as done - you can resolve it. If the same issue is found again - it will be marked as regression.
Note that if you rescan the asset and an existing active issue isn't found there - it will be autoresolved by Spectral.

Assign

SpectralOps Assign

You can assign an issue to a team mate. He will be notified he has a issue he needs to handle. You can filter issues to see issues assigned to any team mate.

External change management

You can create a ticket for any issue that was discovered by SpectralOps in Jira or Monday.
After setting up your integration, select the issue and click the "Assign" button,
Select the Jira project in which you would like to open an issue, add a Summary of the problem and edit the description.
Once you create a Jira issue, a “Jira” label will be assigned to the spectral Issue so you can track the progress in Jira.

Export

Export the issue so you can share it with other people or create reports. You have two options to export the data: PDF/CSV.

export issues

Exported report fields:

  • Assets : asset details/location
  • Team: The team that owns the asset
  • Branch - in which branch the item was discovered
  • Asset type /Path - asset type and its location ( mainly for code)
  • Detector - the detector id of the issue
  • Description - the detector description
  • Content - Classification of the asset
  • Is Ignored - ignored asset?
  • Severity - the severity of an issue