Integration overview
A security tool integration enables teams to automatically verify that security tasks have been implemented, and identifies which requirements the tools are unable to verify. Using the SD Elements integration provides a much broader visibility of risk than using a scanning solution on its own.
Process
A security tool integration follows the steps below.
-
Import an analysis result from the scanning tool using file upload or remote web service.
-
Compare all potential vulnerabilities that the scanning tool can find with the tasks in SD Elements.
-
If the scanning tool does not cover the specific task, then there is no change to the verification status.
-
If the scanning tool does cover a task, then it marks the appropriate verification status.
-
See Verification status for more details.
-
If any vulnerability was found, the task will appear as "Fail".
-
Where possible, SD Elements provides a reference to more details in the scanning tool’s report.
-
-
All vulnerabilities found by the scanning tool that do not match with a task in SD Elements are enumerated in task T193: Review non-categorized/miscellaneous findings from automated analysis
|
|
Projects should select answer Project Settings→Development/Test Tools→Development Tools→Uses static or dynamic security code analysis to bring task T193: Review non-categorized/miscellaneous findings from automated analysis into a project. |
After an integration completes, a project member can examine the tasks and determine which require additional testing based on their verification status. Tasks having a verification status of No Status or Partial Pass should be tested further manually, or with an alternative tool.
Scan retention policy
SD Elements does not keep a copy of scan results once they are imported. If project settings are changed after importing a scan result, scan results will not correlate to any newly added tasks. As a result, we suggest that you only import scan data after you have completed modifying the project settings.