SCA Overview

The Security section covers security settings, access control, secrets management, and protected resources. It is organized into the following sub-sections:

note

• The Trivy tool manages scanning and hardening views: Container Scanning, Namespace Security, Cluster Security (configuration audits, RBAC, infrastructure, cluster vulnerability reports, compliance benchmarks and related drill-downs), and the Compliance entries that mirror those scan types. If Trivy is not integrated and running against your cluster/namespaces, those screens stay empty or without fresh data.

• SCA (this portfolio and Projects) comes from Dependency Track (BOMs, component vulnerabilities, policies).

• SAST (SAST) comes from SonarQube.

• SCA (Software Composition Analysis) — Overview, Projects
• SAST — SAST
• Container Scanning — Overview, Vulnerability Reports, Exposed Secrets
• Namespace Security — Configuration Audits, RBAC Assessments, Infrastructure Assessments
• Cluster Security — Compliance, Configuration Audits, RBAC Assessments, Infrastructure Assessments, Vulnerability Reports
• Compliance — Configuration Audits, RBAC Assessments, Infrastructure Assessments, Vulnerability Reports

The Software Composition Analysis portfolio dashboard shows portfolio-level vulnerability metrics and policy violations across all projects. Use it to track vulnerabilities, projects at risk, and policy compliance over time.

Key Metrics

Four KPI cards with trend lines summarize:

• Portfolio Vulnerabilities — Total vulnerability count for the portfolio.
• Projects at Risk — Number of projects that have active risk (e.g. vulnerabilities or policy violations).
• Vulnerable Components — Number of components (dependencies) with known vulnerabilities.
• Inherited Risk Score — Aggregate risk score derived from vulnerabilities and policy state.

At the top of the page you can select 30 Days, 60 Days, 90 Days, or 1 Year to scope all metrics and charts.

Portfolio Statistics

A summary block shows current counts:

• Projects and Vulnerable Projects
• Components and Vulnerable Components
• Policy Violations — total, plus split by License, Operational, and Security
• Portfolio Vulnerabilities and Suppressed (suppressed findings)

Use this to see the overall posture at a glance.

Charts

• Portfolio Vulnerabilities — Stacked area chart of vulnerabilities over time by severity: Critical, High, Medium, Low, Unassigned. Legend shows current counts and percentages.

• Policy Violations by State — Stacked area chart of violations by state: Fail, Warn, Info.

• Policy Violations by Classification — Stacked area chart by type: Security, License, Operational.

• Auditing Progress (Findings) — Trend of Audited vs Unaudited findings over the selected period.

• Auditing Progress (Violations) — Trend of Audited vs Unaudited violations.

• Projects — Stacked area chart of Non-Vulnerable vs Vulnerable projects over time (with total project count).

• Components — Stacked area chart of Non-Vulnerable vs Vulnerable components over time (with total component count).

Charts use the same time range as the page filter and show a last-measurement timestamp.

Related Articles

• SCA Projects
• Observability
• KubeRocketCI Widgets