Investigate security insights

12 minute read

Monitor and analyze your security scan results through the security insights dashboard to identify vulnerabilities, track resolution progress, and assess security posture across components. The dashboard provides comprehensive views of scan results, SLA compliance, and vulnerability trends to help you prioritize and manage security issues effectively.

If you are using CI Multibranch Pipelines, you must configure your Jenkinsfile to install the scanner, run it, and display the report to display scanning data in security insights.

Use the following features to access the data on this dashboard:

  • Hover to display the full content for any data that is truncated with an ellipsis (…​).

  • Use scroll bars (vertical and horizontal) to display hidden content.

Access security insights dashboard

To access the security insights dashboard:

  1. Select Analytics  Security insights.

The security insights dashboard loads with default filtering showing all components and the last seven days of data.

Filter dashboard data

Select components and the time frame of data for analysis in the security insights dashboard.

To filter the dashboard data:

  1. Select FILTER.

  2. Select one or more Components from the options.

  3. Select a Duration from the following options:

    Table 1. Duration filter definitions
    Duration Definition

    Current week

    Current week in the month, Monday to Sunday schedule. For example, if current day is Tuesday, only data from Monday and Tuesday are displayed.

    Previous week

    Previous week in the month, Monday to Sunday schedule.

    Two weeks back

    Two weeks prior in the month, Monday to Sunday schedule.

    Current month

    First day of current month up to current day.

    Previous month

    First day to last day of previous month.

    Two months back

    First day to last day of two months prior.

    Last 7 days

    The past seven days.

    Last 30 days

    The past 30 days.

    Last 90 days

    The past 90 days.

    Custom range

  4. Select APPLY.

The data are filtered accordingly and displayed in the security insights dashboard.

Set a custom date range

To set a custom date range:

  1. Select FILTER.

  2. Select Custom range.

  3. Select dates for the time frame start and end.

The custom date range is set accordingly and displayed in blue on the date picker. You can view the analytics data for any desired time frame.

Customize the dashboard

Customize the dashboard to display only the charts and tables that matter the most to you.

Only charts and tables with Delete in the upper-right corner can be edited.

To customize the dashboard:

  1. Select Analytics on the left pane, and then select the dashboard.

  2. Select Vertical ellipsis on the top right of the dashboard.

  3. Select Edit dashboard.

  4. (Optional) Remove a chart or table from the dashboard.

    1. Select Delete next to the chart or table you want to remove.

    2. Select Save.

  5. (Optional) Add back a chart or table to the dashboard.

    1. Select Add chart/table to display a list of the available charts or tables.

    2. Select Add to dashboard next to the item to add.

    3. Select Apply.

  6. (Optional) Rearrange items on the dashboard by dragging them into place.

The dashboard is customized accordingly.

Analyze components and workflow data

Get an overview of components, workflows, and workflow runs for the filtered component data in a specified time frame.

The components, workflows, and workflow runs charts include total numbers and those with and without scanning:

Totals of components
Figure 1. Example Components, Workflows, and Workflow runs charts.

Each chart displays the following details (highlighted in the Components chart):

  1. Total number

  2. A donut chart of percentages with and without scanners

  3. Number with associated scanners

  4. Number without associated scanners

The Components chart also displays the number of associated repositories, and the Workflows chart displays the number of associated branches.

View components details

To view components details:

  1. Select a number in the components chart.

The system displays a list showing:

  • Component name

  • Repository URL

  • Status

  • Last activity date and time

If you select a section of the donut chart, or the active or inactive numbers, the data displayed is for only that subset of components.

In the components list, perform any of the following:

  • Select FILTER to filter by scanner type.

    Totals of components
    Figure 2. Filtering the component list with scanners only.
  • Search for specific components by entering all or part of a component name into Search.

  • Select a component name to display runs from that component in a new browser tab.

View workflows details

To view workflows details:

  1. Select a number in the workflows chart.

The system displays a list showing:

  • Workflow name

  • Component name

  • Branch name

  • Status

  • Last activity date and time

If you select a section of the donut chart, or the numbers with or without scanners, the data displayed is for only that subset of workflows.

In the workflows list, perform any of the following:

  • Select FILTER to filter with scanners or without scanners.

  • Search for specific workflows by entering all or part of a workflow name, component name, or branch into Search.

  • Select a component name to display runs from that component in a new browser tab.

View workflow runs details

To view workflow runs details:

  1. Select a number in the workflow runs chart.

The system displays a list showing:

  • Run ID

  • Workflow name

  • Component name

  • Branch name

  • Scanner name, if present, or No scanners alert

  • Scanning status

If you use scanners for workflow runs, the scan status displays as Scanned or Not scanned. Otherwise, the scan status displays as Not applicable. If you select a section of the donut chart, or the numbers with or without scanners, the data displayed is for only that subset of workflow runs.

In the workflow runs list, perform any of the following:

  • Select FILTER to filter with scanners or without scanners.

  • Search by entering all or part of a workflow name, component name, or branch into Search.

  • Select a run ID to display run detail in a new browser tab.

  • Select a component name to display runs from that component in a new browser tab.

Examine vulnerability overview

Get an overview of vulnerabilities for the filtered component data in a specified time frame. A unique code signature defines each vulnerability. In this way, you can track issues over time, and recurring issues are not treated as newly found.

CloudBees Unify can detect fixed vulnerabilities. When a vulnerability is detected as fixed, the following occurs:

  • The status is updated to Resolved.

  • The timestamp of first discovery time is cleared.

  • The current scan time is taken to be the resolved time.

Vulnerabilities are divided into four different status groups:

Table 2. Definition of vulnerability status groups.
Status group Vulnerability detected in:

Current scan

Previous scan

Found

Yes

No

Reopened

Yes

Marked resolved

Resolved

No

Yes (last known status open or reopened)

Open

Yes

Yes

The Vulnerabilities overview provides the number of vulnerabilities grouped by status:

Vulnerabilities overview
Figure 3. Hovering over a date in a Vulnerabilities overview example.

The overview includes the following:

  1. Total Found, Reopened, Resolved, and Open vulnerabilities. Select a total to display details for just that vulnerability status group.

  2. Hover over a date to display the number of vulnerabilities in each status for that date, or select it to display the details for vulnerabilities on that date.

Investigate vulnerability details

To investigate specific vulnerability details:

  1. Select vulnerability status totals or dates in the vulnerabilities overview chart.

The system displays vulnerability details including:

  • Vulnerability ID

  • First discovered date and time

  • Vulnerability name

  • Status

  • Severity: Rated by the security tool as Low, Medium, High, or Critical.

  • Number of impacted components

In the vulnerability details list, perform any of the following:

  • Select FILTER to filter by status.

  • Search by entering all or part of one of the following into Search:

    • Vulnerability ID

    • Vulnerability name

    • First discovered date and time

    • Severity

  • Select the Circle arrow next to a vulnerability ID to display a table showing:

    • Last discovered date and time

    • Component name: select to display runs from that component in a new browser tab.

    • Branch name

    • Scanner name

    • Number of occurrences

    • SLA status

    • Vulnerability status

      Vulnerabilities lists
      Figure 4. Vulnerabilities list with a highlighted icon to open the table.

Monitor vulnerability age and severity

The ages of open and reopened vulnerabilities for the filtered component data in a specified time frame are plotted on box and whisker plots, grouped by severity, and display the data distribution through their quartiles.

How to interpret the box plots:

  • The plot box for a given severity group represents the middle 50% of vulnerability ages.

  • The bisecting line of the box represents the median age.

  • The plot whiskers represent the minimum and maximum ages for that severity group.

Open vulnerabilities
Figure 5. Hovering over the low severity status group plot.

Open and reopened vulnerabilities includes the following:

  1. Total Critical, High, Medium, and Low severities of vulnerabilities. Select a total to display details for just that severity group.

  2. The Critical box plot has a small spread, indicating that the issues of this severity are resolved promptly.

  3. The Medium box plot has a wide spread, indicating that issues of this severity sometimes have a delayed resolution.

  4. Hover over a severity group to display the minimum, median, and maximum days open, or select it to display details for just the vulnerabilities at that severity level.

View open and reopened vulnerability details

To view detailed information about open and reopened vulnerabilities:

  1. Select severity totals or box plots in the open and reopened vulnerabilities chart.

In the details list, perform any of the following:

  • Select FILTER to filter by severity.

  • Search by entering all or part of one of the following into Search:

    • Vulnerability ID

    • First discovered date and time

    • Vulnerability name

    • Severity

  • Select the Circle arrow next to a vulnerability ID to display the following for that vulnerability:

    • Last discovered date and time

    • Component name: select to display runs from that component in a new browser tab.

    • Branch name

    • Scanner name

    • Number of occurrences

    • SLA status

Review scan type coverage

Get an overview of scan types in workflows for the filtered component data in a specified time frame.

The scan types are the following:

Scan types in workflows provides the number of workflows and runs grouped by scan type:

Scan types overview
Figure 6. Example of hovering over the Container group in the scan types chart.

To review scan type coverage:

  • Hover over a scan type to display the number of workflows and runs with that type.

  • Select either a workflow or a runs bar to display a list of scan details.

View scan details

To view detailed scan information:

  1. Select workflow or run bars in the scan types chart.

The scan details list includes:

  • Build number

  • Workflow name

  • Component name

  • Branch name

  • Scan type: Container, DAST, SAST, or SCA.

  • Scanner name

Perform any of the following:

  • Select FILTER to filter by scan type.

  • Search by entering all or part of one of the following into Search:

    • Workflow name

    • Component name

    • Branch name

    • Scan type: Container, DAST, SAST, or SCA.

    • Scanner name

  • Select a Build # to display the run details in a new browser tab.

Analyze vulnerabilities by scan type

Get an overview of vulnerabilities grouped by scan type for the filtered component data in a specified time frame.

The vulnerabilities by security scan type chart displays the number of vulnerabilities, grouped by scan type:

Vulnerabilities by scan type
Figure 7. Hovering over a scan type in the vulnerabilities chart.

To analyze vulnerabilities by scan type:

  1. Review total vulnerabilities with Container, DAST, SAST, or SCA scan types. Select a total to display a list of vulnerability details for just that scan type.

  2. Hover to display the number of vulnerabilities in a given scan type, grouped by severity.

  3. Select a bar on the graph to display vulnerability details for just that scan type and severity.

View vulnerability details by scan type

To view vulnerability details filtered by scan type:

  1. Select scan type totals or bars in the vulnerabilities by scan type chart.

The list of vulnerability details displays the following:

  • Vulnerability ID

  • First discovered date and time

  • Vulnerability name

  • Severity: Rated by the security tool as Low, Medium, High, or Critical

  • Scan type

  • Number of impacted components

In the list, perform any of the following:

  • Select FILTER to filter by scan type and/or severity.

  • Search by entering all or part of any column item (except for Number of impacted components) into Search.

  • Select the Circle arrow next to a vulnerability ID to display the following for that vulnerability:

    • Last discovered date and time

    • Component name: select to display runs from that component in a new browser tab.

    • Branch name

    • Scanner name

    • Number of occurrences

    • SLA status

    • Vulnerability status

Track SLA compliance

Get an overview of vulnerability occurrence and SLA status for the filtered component data in a specified time frame.

All open vulnerabilities are grouped by SLA status, defined as how long each has remained unresolved:

  • On track: Open less than two days.

  • At risk: Open more than two days but less than three days.

  • Breached: Open three days or more, which exceeds the allowed SLA resolution time.

All resolved vulnerabilities are grouped by SLA status, defined as how long each remained unresolved:

  • Within SLA: Resolved within three days.

  • Breached: Resolved after three days or more, which exceeds the allowed SLA resolution time.

The SLA status overview by occurrences chart provides the number of vulnerabilities grouped by their status and their SLA status:

SLA status overview
Figure 8. An example overview chart of vulnerabilities grouped by SLA status.

The overview includes the following:

  1. Totals of Open vulnerabilities by SLA status.

  2. Totals of Resolved vulnerabilities by SLA status.

To track SLA compliance:

  1. Select a bar on the chart to display details for just that status group.

View SLA status details

To view detailed SLA information:

  1. Select SLA status bars in the SLA overview chart.

The list of SLA status details includes the following:

  • First discovered date and time

  • Vulnerability name

  • Component name

  • Severity: Rated by the security tool as Low, Medium, High, or Critical.

  • SLA status

  • Vulnerability status

In the list, perform any of the following:

  • Select FILTER to filter by SLA status.

  • Search by entering all or part of any column item into Search.

Evaluate mean time to resolve (MTTR)

The mean time to resolve (MTTR) is a metric to track how long it takes to fix vulnerabilities. MTTR is calculated as the time in hours from the time of first discovery of a vulnerability to the time of the scan when it is marked Resolved. Get an understanding of the MTTR for vulnerabilities (grouped by severity) for the filtered component data in a specified time frame.

All vulnerabilities included in the MTTR data must be marked as resolved by a scan and must have a valid first discovery date and time.

The MTTR for vulnerabilities chart displays the MTTR of vulnerabilities, grouped by severity:

MTTR by severity
Figure 9. Hovering over a date to display the MTTR by severity.

To evaluate MTTR:

  1. Review MTTRs grouped by severity, as rated by the security tool: Critical, High, Medium, or Low. Select an MTTR to display its details.

  2. Hover over a date to display the MTTR by severity. Select a bar on the chart to display the details list for that date and severity.

View MTTR details

To view detailed MTTR information:

  1. Select MTTR totals or bars in the MTTR chart.

The details list includes the following:

  • Vulnerability ID

  • First discovered date and time

  • Average resolution time

  • Severity

  • Resolved areas

Perform the following in the details list:

  • Select FILTER to filter by severity.

  • Search by entering all or part of any column item (except for Resolved areas) into Search.

  • Select the Circle arrow next to a vulnerability ID to display the following for that vulnerability:

    • Last discovered date and time

    • Component name: select to display runs from that component in a new browser tab.

    • Branch name

    • Scanner name

    • Resolution time

    • SLA status

Examine CWE Top 25 vulnerabilities

The Common Weakness Enumeration (CWE™) Top 25 is a community-developed list of common software weaknesses. Get an understanding of components impacted by any of the CWE Top 25 vulnerabilities for the filtered component data in a specified time frame.

The CWE Top 25 chart displays the following:

  • CWE ID

  • Vulnerability name

  • Number of impacted components

To examine CWE Top 25 vulnerabilities:

  1. Select a component number to display CWE Top 25 occurrences details.

View CWE Top 25 occurrences details

To view detailed information about CWE Top 25 vulnerability occurrences:

  1. Select component numbers in the CWE Top 25 chart.

The CWE Top 25 details display:

  • Vulnerability ID

  • First discovered date and time

  • Vulnerability name

  • Severity

  • Number of impacted components

CWE Top 25 details
Figure 10. Example CWE Top 25 vulnerability details.

Perform the following:

  1. Select FILTER to filter by vulnerability ID.

  2. Search by entering all or part of any column item (except for Number of impacted components) into Search.

  3. Select the Circle arrow next to a vulnerability ID to display:

    • Last discovered date and time

    • Component name

    • Branch name

    • Scanner name

    • Number of occurrences

    • SLA status

  4. Select a component name to display runs from that component in a new browser tab.

  5. Select an occurrence number to display the following:

    • Repository URL: select to go to the URL.

    • Locations (file name and line numbers)

    • Message

CWE Top 25 details
Figure 11. Example of selecting a CWE Top 25 occurrence.

Compare metrics

Use this feature to compare metrics among all organizations in the tenant. You can compare metrics within select charts in the analytics dashboards. In the generated list of all organizations, sort by the organization name or its status. Select an organization to drill down to the component level to display a more fine-grained status list. Hover over a status item to display more information.

You can only compare metrics for charts with Two arrows on the upper right.

To compare metrics:

  1. Select Analytics on the left pane, and then select a dashboard.

  2. Select any Two arrows on the upper right of a chart to display the list of organizations and their status.

    The number of items in the compare metrics list equals the total displayed in the chart.
  3. (Optional) Hover over a status to display more information.

  4. (Optional) Select Sort down or Sort up next to a column heading to sort on that heading.

  5. (Optional) Select an organization to list more information about each child organization and/or component within that organization.

  6. (Optional) Select a child organization to list more details about each child organization and/or component within that child organization.

The list of the status of all organizations and components for the specific metric is displayed.

Troubleshoot security insights issues

Address common issues when Security insights data is not appearing or appears incomplete in the dashboard.

Missing scanner results

Security insights require properly configured security scanners that publish results in supported formats.

Problem: Security insights show no scan results

Solution: Check that security scanners publish results in supported formats and that workflow runs complete successfully. Verify scanner configuration and output formatting.

To resolve missing scanner results:

  1. Review workflows that should include security scanning.

  2. Confirm security scanners publish results in supported formats (SARIF, JSON).

  3. Check that workflow runs complete successfully with security scanning steps.

  4. Verify scan results appear in workflow run details after execution.

Security insights populate automatically when workflows execute with proper security scanning configuration.

Invalid scanner result formats

Security scanners must produce results in formats that CloudBees Unify can process.

To check scanner result formatting:

  1. Review scanner output in completed workflow runs.

  2. Verify scan results follow SARIF or JSON format specifications.

  3. Check scanner documentation for output format configuration options.

  4. Ensure scanner results are properly uploaded to workflow artifacts.

Incompatible result formats prevent security insights from populating.