Introduction to IBM Concert

IBM® Concert combines traditional analytics and generative AI to deliver comprehensive insights into your operational health and identify critical risk across your application lifecycle. Concert ingests an inventory of application data — source code repositories, images, and environments — to build your application topology. Then, through various dimensions, it helps you prioritize and mitigate risk that is related to vulnerabilities (CVEs, and so on), compliance issues, expiring certificates, package license and versioning issues, and more.

Each of the following section covers a key concept or object in your Concert instance.

Inventory

After deploying your Concert instance, the first step is to import application components—source code repositories, images, and environments. You can do this by uploading an SBOM file in the Concert-defined (ConcertDef) format, or by connecting with your external tools and services to pull data from your code-hosting platforms, environments, and other application components into your Concert instance. This creates an inventory of components that you can use to define your applications and environments and build your application topology, which is presented in the Arena view.

Figure 1. Inventory of components in the Arena view
This screenshot shows an inventory of components you can use to define your applications and environments and build your application topology, which is presented in the Arena view.

After defining your applications, environments, and dependencies, you can begin to assess operational risk and the health of your development and delivery lifecycle through each Concert dimension.

Data ingestion methods

There are multiple ways to import data to Concert for the purposes of building your application inventory or assessing data through one of the Concert dimensions.

  • Using the Concert toolkit, you can automate data ingestion as part of your CI/CD pipeline. This is the recommended approach as it helps ensure your application and environment data stays up to date.
  • The Concert API includes a data ingestion endpoint that you can use to upload SBOM files, scans, and other data types.
  • Integrate directly with third-party tools and services by establishing a connection with an external tool or service, and then creating an ingestion job. Each run updates your inventory with the latest component details (images, repositories, libraries, and so on) you can use to define your applications and environments.
  • Upload files in the Concert UI.

Arena view

The Arena view presents an interactive view of your deployed images, source repositories, application definitions, environments, private access points, and the relationship between each entity. Hovering over one of the objects displays its name or other identifying details and highlights its specific dependencies.

Figure 2. Displaying a name or other identifying details and highlights its specific dependencies in the Arena view
This screen shot displays related application and environments and highlights specific dependencies in the Arena view.
You can click an individual object to view more details:
  • Clicking an image or repository component displays extra details, including associated applications, packages, and common vulnerabilities and exposures (CVE).
  • Clicking an application definition redirects you to the Inventory > Applications page, displaying details for the selected application.
  • Clicking an environment definition redirects you to the Inventory > Environments page, displaying details for the selected environment.

Dimensions

In the context of Concert, a dimension is a category of data that is related to some aspect of operational health in an application development and delivery lifecycle. Each Concert dimension provides unique insight and offers remediation steps to address high-priority risk before it negatively impacts your operations or business-related outcomes.

You can think of a dimension as an analytical overlay on top of your application topology. Upon uploading or importing dimensional data — such as a vulnerability or compliance scan, certificate data, or package details — Concert processes the information to identify and prioritize issues based on several factors. It offers recommendations to mitigate risk and allows you to create tickets in your third-party ticketing system manually or automatically by using automation rules.

  • The Software composition dimension assesses the quality and reliability of your application package components, highlighting issues related to licensing, versions, or vulnerabilities. Based on the uploaded data, it identifies and labels certain types of risk and the recommendation action to address the issue. Upload a package SBOM in CycloneDX format to use this dimension.
  • The Vulnerability dimension prioritizes common vulnerabilities and exposures (CVEs) impacting your applications. It calculates a risk score indicating the severity of a CVE based on the Common Vulnerability Scoring System (CVSS) or a custom IBM risk score (a composite metric that factors CVSS, as well as other risk factors like network exposure, criticality, and global evidence of exploitation). Within this dimension, you can use the IBM watsonx.ai chat functionality to learn more about the impacting CVE and remediation steps.
  • The Compliance dimension provides a central location to review and manage your compliance assessments and define profiles (controls) that matter most to your organization. You can choose from a library of compliance catalogs based on your organization's relevant regulatory requirements and industry standards. Also, you can provide proof of compliance if an environment is deemed noncompliant with a specific control. When doing so, watsonx.ai validates text-based evidence against the compliance controls to determine and record if there is sufficient proof of compliance.
  • The Operations dimension allows you to track the status of all your digital certificates, including those not related to a specific application in your Concert inventory, in a single location. It highlights certificates approaching their expiration date so you can proactively renew and replace expiring certificates before they impact your operations.

The growing portfolio of Concert dimensions processes and presents data in a way that makes it easier to review insights and initiate action to address vulnerability, package, compliance, or certificate issues quickly.

Automation rules

After establishing a connection with your third-party ticketing system by using credentials that grant read and write access to the target project, board, or repository, you can automate ticket creation based on the recommendations and prioritized issues that are highlighted in the various dimensions. Supported issue tracking integrations include GitHub, Jira, ServiceNow, and Salesforce. Use automation rules to address the following issues:
  • Open a ticket based on a package-related recommendation within the Software composition dimension.
  • Open a ticket to address a high-priority CVE impacting your application(s) highlighted in the Vulnerability dimension.
  • Open a ticket to address an environment that is not compliant with one or more specified controls that are highlighted in the Compliance dimension.
  • Open a ticket to renew or replace expiring certificates that are highlighted in the Operations dimension.

When configuring the automation rule, you have the option to assign the ticket to the relevant person in your organization.

Note: Alternatively, you can open a ticket manually from any of the Dimensions pages in the Concert UI.