The application and component security centers in CloudBees Unify provide operational interfaces for managing security findings from discovery through remediation. Understanding security center workflows is essential for both security teams who need to prioritize and track security remediation, and development teams who need to understand their security responsibilities and resolution processes.
Security findings lifecycle and terminology
The security centers organize security data around issues and findings that flow through systematic workflows rather than remaining as static scan results:
-
An issue represents a security problem type identified by security tools, for example, a SQL injection vulnerability or an outdated dependency with known exploits.
-
A finding represents a specific occurrence of that issue in a particular location, such as line 47 of database.py or version 2.1.4 of a logging library in a specific application.
Security tools generate findings during both implicit security analysis triggered by code changes and explicit security scans configured in workflows. These findings populate the security centers with severity ratings determined by the discovering tool. Each finding is rated critical, high, medium, or low, which influences prioritization and service level agreement (SLA) tracking.
The security center transforms raw security tool outputs into structured workflows that support systematic remediation rather than ad-hoc security responses. Findings begin as "unreviewed" and progress through triage, remediation, and resolution states that maintain accountability while preserving development velocity.
Component vs application security perspectives
CloudBees Unify provides application and component security centers because security management operates at different organizational levels with distinct operational needs.
Component security centers focus on individual source code repositories and support development team workflows. Developers use component security centers to understand security issues within the code they actively maintain, see findings in the context of specific files and line numbers, and track remediation progress through their normal development processes. Component-level security aligns with development team responsibilities and integrates directly with source control platforms for contextual remediation.
Application security centers focus on deployed assets across environments and support business risk management. Security leaders and application owners use application security centers to assess risk exposure across multiple components that comprise business applications, understand security posture in production environments, and track remediation efforts across development teams. Application-level security enables portfolio-wide risk assessment and compliance reporting.
Cross-component risk aggregation consolidates security findings from multiple repositories, containers, and dependencies to show cumulative security exposure for entire applications. Business impact assessment considers collective security risk rather than treating component findings as independent issues. For example, a medium-severity vulnerability in a critical authentication component may warrant higher priority than high-severity findings in non-essential utility libraries.
Portfolio comparison across applications helps security leaders understand relative security posture and allocate remediation resources appropriately, while trend analysis validates the effectiveness of security initiatives over time.
Multi-team coordination visibility enables identification of security remediation bottlenecks across development teams that may not be apparent when examining individual component security. Application-level SLA management provides business context for security timeline accountability, showing whether cumulative security risk reduction meets organizational expectations even when individual components meet their technical SLAs.
Application-level triage decisions incorporate business impact assessment and operational constraints, requiring appropriate business authority approval for risk acceptance decisions that affect customer-facing functionality, sensitive data processing, or regulatory compliance requirements.
The same underlying security findings serve both perspectives, but component centers emphasize development context while application centers emphasize business context. This dual perspective ensures that security findings receive appropriate attention from both the teams responsible for remediation and the leaders responsible for risk management.
Security finding triage workflows
Systematic triage transforms security findings from technical observations into business-relevant action items. Rather than treating all security findings as equally urgent, triage workflows enable informed decision-making that considers both technical severity and business context.
When security scans detect issues, findings enter the security center with "unreviewed" status. This default state acknowledges that automated security tools, while comprehensive, cannot assess business relevance or operational context that affects remediation priority. Human assessment remains necessary to distinguish between critical security risks that demand immediate attention and technical findings that may be acceptable within specific business contexts.
The triage process categorizes findings into three outcomes: fix required, risk accepted, or false positive. Fix required indicates that the finding represents a genuine security risk that warrants remediation within normal development workflows. Risk accepted acknowledges that the finding represents a real security issue, but one that falls within organizational risk tolerance given compensating controls, business priorities, or operational constraints. False positive indicates that the security tool incorrectly identified a security issue where none actually exists.
This categorization enables focused remediation efforts by ensuring development teams receive prioritized, actionable security guidance rather than overwhelming lists of technical findings. Security teams can concentrate oversight on genuine risks while avoiding unnecessary friction from security findings that don’t warrant immediate action.
Approval workflows and oversight
Security oversight operates through systematic approval processes rather than unilateral security decisions. Risk acceptance and false positive determinations require approval from users with appropriate organizational authority, typically organization owners or administrators, rather than allowing individual developers or security analysts to make these determinations independently.
This approval requirement serves multiple organizational oversight purposes. Risk acceptance decisions affect organizational security posture and may have compliance implications that require senior review. False positive determinations, if incorrect, could allow genuine security vulnerabilities to remain unaddressed. The approval workflow ensures that security decisions receive appropriate oversight while preserving development team autonomy for clearly actionable findings.
Expiration dates prevent permanent risk acceptance without periodic review. Risk accepted findings automatically revert to "unreviewed" status after their expiration period, which defaults to 90 days but can be set when the risk acceptance is submitted or approved. This forces organizations to regularly reassess whether previously accepted risks remain acceptable given changing threat landscapes, business priorities, or compensating controls. For details on setting the expiry date, refer to application-security:how-to-guides/triage-security-findings.adoc#triage-findings.
Approval workflows create accountability structures that balance development efficiency with security oversight. Development teams can continue normal development activities while security decisions that affect organizational risk posture receive appropriate oversight.
Integration with development and remediation processes
Security center workflows integrate with existing development practices rather than creating parallel security-specific processes. Security findings include direct links to source code locations, enabling developers to understand security issues within their familiar development context rather than requiring specialized security tools or interfaces.
Automatic resolution detection connects security findings to remediation activities through existing source control integration. When developers fix underlying security issues and commit changes, source control platforms inform CloudBees Unify, which triggers new security scans. If subsequent scans confirm that the security issue no longer exists, the finding automatically transitions to "resolved" status without requiring manual administrative updates.
SLA management creates accountability for security remediation while preserving development velocity. Rather than blocking development activities until security issues resolve, SLA tracking provides visibility into remediation timelines and identifies findings that require escalation or additional resources. SLA breaches highlight security issues that may need management attention, but they don’t prevent ongoing development work.
Security center data supports broader security reporting and compliance needs by maintaining historical records of security analysis, triage decisions, and remediation activities. This comprehensive tracking enables audit support, trend analysis, and security program effectiveness measurement without requiring separate compliance processes or documentation.
The integration approach ensures that security becomes a natural part of development quality rather than a separate concern requiring specialized tools or processes. Security findings flow through the same interfaces and workflows that development teams use for other operational concerns, promoting collaboration rather than creating adversarial relationships between security and development teams.