Understanding the Concert Secure Coder interface

Edit online

After you install and authenticate the Concert Secure Coder extension, you can use the extension to scan code, review findings, and view security exposure information from IBM Concert.

The Concert Secure Coder extension includes the following tabs:
  • Home
  • File scans
  • Workspace scans
  • Concert exposures

Home tab

The Home tab provides a security overview for the repository that is currently open in your IDE.

From the Home tab, you can:
  • View the security status of the current repository.
  • Access file and workspace scan functions.
  • Synchronize scan results with IBM Concert.

To refresh security information, click Sync all scans.

Repository security overview

The security overview displays security data that IBM Concert reports for the repository that is currently open in the IDE.

Depending on the scanning capabilities that are enabled for your organization, the Home tab can display information such as:
  • Overall risk score
  • Vulnerable package issues
  • Static Application Security Testing (SAST) findings
  • Critical and high-severity vulnerabilities
  • Security issues that require attention

The information that is displayed varies based on the capabilities that are configured for your environment.

File scans tab

Use the File scans tab to scan the file that is currently open in your IDE.

The following file scan types are available:
  • Secrets detection: Scans the active file for exposed secrets and sensitive information.
  • Kubescape: Scans Kubernetes deployment manifest files (.yaml and .yml) for security vulnerabilities and configuration issues.

Workspace scans tab

Use the Workspace scans tab to scan an entire repository or workspace.

Note: Workspace scans support repositories up to 500 MB. If your repository exceeds this limit, reduce the scan scope before running a scan.
The following workspace scan types can be available:
  • Secrets detection: Scans the entire repository for exposed secrets and sensitive information.
  • Static Application Security Testing (SAST): Scans source code for security vulnerabilities.
  • Software Composition Analysis (SCA): Scans open source dependencies for known vulnerabilities.
Note: SAST and SCA scan capabilities are optional and might not be enabled in all environments. If a capability is not enabled for your organization, the option remains visible in the interface but is unavailable.

Workspace scan timeout

You can configure how long a workspace scan is allowed to run before timing out.

The Workspace scan timeout setting:
  • Uses minutes as the unit of measurement.
  • Supports values from 1 to 60 minutes.
  • Uses 10 minutes as the default value.
The timeout applies to:
  • Secrets detection scans
  • Static Application Security Testing (SAST) scans
  • Software Composition Analysis (SCA) scans

If workspace scans frequently time out before completion, increase the timeout value in the Concert Secure Coder settings.

Concert exposures tab

Use the Concert exposures tab to view security exposures that IBM Concert reports for the repository currently open in your IDE.

The tab can display information such as:
  • Vulnerability severity
  • Risk scores
  • Exposure priorities
  • Security findings reported by IBM Concert
To retrieve the latest information, click Sync all scans from the Home tab.
Note: The Concert exposures tab provides a read-only view of exposure information. You cannot remediate or modify exposures directly from this tab.