User Interface Components - Source Code

1.0 Introduction

The article describes the Fortanix Key Insight user interface (UI) features for an on-premises source code infrastructure.

2.0 Terminology References

For Fortanix Key Insight – on-premises concepts and supported features, refer to On-premises Connection Concepts.

3.0 Overview

You can access the Overview page after successfully adding an on-premises connection.

The SOURCE CODE tab in the Overview page summarizes the cryptographic assets from source code repositories based on the applied Fortanix Key Insight policy.

For more information on the Key Insight policy, refer to Getting Started with On-premises Connection.

NOTE

• If the Overview page for source code does not display any data, configure the on-premises scanner. For more information, refer to On-Premises Connection Scanning Configuration.

• Click the numerical value on the Overview page for source code to view the list of corresponding on-premises resources, where applicable.

• Click RESCAN to rescan the on-premises connection. For more information, refer to Section 5.0: Rescan an On-premises Connection.

• Click ASSESSMENT REPORT to navigate to the Assessment page and view the assessment report. This report allows you to assess your key security posture to ensure the safety of your data. For more information, refer to Section 4.0: Assessments.

The Overview page is described in the following sections:

3.1 Discovered On-premises Resources

This section provides the count of scanned on-premises infrastructures, including databases, file systems, and source code repositories.

It also displays the count of the following in the scanned on-premises infrastructures:

• Cryptographic assets

• Keys

• Certificates

• Resources

Clicking the Cryptographic Assets, Keys, Certificates, and Resources labels navigates you to their list view.

3.2 Cryptography Bill of Materials (CBOM)

This section describes how to export cryptographic asset metadata from an on-premises  infrastructure into a standardized CBOM JSON file. The exported CBOM format is useful for maintaining a cryptographic inventory, demonstrating regulatory compliance, and evaluating post-quantum cryptography (PQC) readiness.

To export the CBOM data, click EXPORT. The file named bom_report_<on-premises_scan_id>.json will be downloaded to your local machine, where on-premises_scan_id is a unique identifier generated for each on-premises connection scan.

For example,

The exported file adheres to the CycloneDX specification, including the following components:

• bomFormat: Specifies the bill of materials format. For CBOM, this value is set to CycloneDX.

• specVersion: Indicates the version of the CycloneDX specification being used.

• version: Denotes the version of this specific CBOM file.

• components: Lists cryptographic components such as on-premises keys. Each entry includes details such as type, name, algorithm, associated services, and other relevant information.

• services: Describes the on-premises resources that interact with the listed cryptographic components. Each service includes details such as its name and unique ID.

• dependencies: Defines the relationships between keys and resources, representing how cryptographic elements are interconnected or used together.

NOTE

If your on-premises connection was last scanned before the Fortanix Key Insight 25.07 release and has not been rescanned since, you must perform a Rescan to ensure the correct export of CBOM data.

For more information on how to perform a rescan, refer to Section 5.0: Rescan an On-premises Connection.

3.3 Discovered Cryptographic Assets and Repositories

This section provides a summary of the scanned source code cryptographic assets and repositories, along with their counts.

To understand the list of supported cryptographic assets and their details, refer to the Structure and Cryptographic Asset Types section of the Authoritative Guide to CBOM.

Click each label to view the detailed list of the corresponding assets and repositories.

3.4 Top Asset Type

This section displays the top five cryptographic assets discovered in the on-premises source code repositories.

• Click VIEW ALL to see the complete list of cryptographic assets.

• Click any label or count to view the detailed list of corresponding cryptographic assets.

3.5 Top Repositories by Asset Count

This section displays cryptographic assets discovered in the top five on-premises source code repositories.

• Click VIEW ALL to see the complete list of repositories and the associated cryptographic assets.

• Click any label or count to view the detailed list of corresponding cryptographic assets.

4.0 Assessments

You can access the Fortanix Key Insight Assessment page for source code after the scan is performed, and on-premises cryptographic assets have been added.

The Assessment page shows:

• How good or bad the key security posture is for the on-premises scanner.

• Violations that must be remediated to improve the security status.

• Remediation advice to improve the security status.

NOTE

Click the numerical values on the Assessment page to view the list of corresponding on-premises cryptographic assets and repositories, where applicable.

4.1 Risk Score

This section provides the overall risk score of the on-premises cryptographic assets for source code repositories.

High – A high score signifies the total number of non-compliant assets in use.

Click each risk label or risk count to access its corresponding list view.

4.2 Asset Violation Across Top Repositories

This section provides insights into cryptographic violations across your on-premises source code infrastructure.

You can view the total number of asset violations, along with the breakdown of the total number of violations discovered across individual on-premises source code repositories. This information helps you identify at-risk resources, enabling you to implement unique, compliant, and encrypted cryptographic assets for enhanced security.

Also,

• View risk levels for each cryptographic asset that are color-coded for easy identification.

• Select VIEW ALL to navigate to the Resources page and explore individual violations for each repository.

• Click any repository to view a detailed list of its top 10 violations, sorted by severity. Click each violation type to navigate to the corresponding list view.

• Click BACK to return to the violations card view.

4.3 Top Security Issues

This section provides the following information:

• Non-compliant assets: Displays the total number of assets that do not meet the established industry standards and compliance frameworks. It highlights assets that do not adhere to the required security practices and guidelines set forth by regulatory bodies and industry best practices. By identifying these non-compliant assets, this section helps identify the areas where asset management practices need improvement to ensure that they align with the necessary security and compliance requirements.

  The non-compliant assets increase the data security risk. They will be flagged as vulnerabilities on the Cryptographic Assets page.  Click the count to navigate to the list view.

• PQC readiness: Indicates the percentage of your cryptographic assets that are currently quantum-safe, reflecting your source code environment's preparedness for post-quantum cryptography (PQC). This percentage represents the portion of assets using PQC-compliant algorithms or configurations.

4.4 Resource Violation

This section displays the top five violations with the count of their associated resources.

• Click VIEW ALL to view the complete list of resources.

• The Green color cell indicates the discovered repositories.

• Click any label or count to view the detailed list of corresponding resources.

4.5 Download Assessment Report

Click DOWNLOAD REPORT on the top-right corner of the Assessment page to view the Data Security Assessment Report for the on-premises infrastructures, such as databases, source code, and filesystems, in PDF format. The report will open in the Print dialog box, where you can select to print it or save it locally to your machine as needed.

5.0 Rescan an On-premises Connection

Click RESCAN on the top-right corner of the Overview page to perform a rescan and verify if any keys have been added, deleted, or updated in the on-premises scanner.

NOTE

• The RESCAN option is accessible only to users with the Account Administrator and Group Administrator roles.

• The RESCAN option is available only when the on-premises connection status is Connected.

If you click RESCAN and start the scan, you can monitor its progress in the progress bar. After the scan is completed successfully.

After the scan is completed successfully,

• The Last scanned label will be updated with the date and time of completion.

• The Overview page will reflect the new state of the on-premises keys and resources.

You can also click RESCAN on the Assessment page to perform the rescan. After the scan is completed, the Assessment page will reflect the new state of the on-premises resources.

6.0 Resources

After onboarding an on-premises connection with source code repositories, navigate to Resources in the Fortanix Key Insight left navigation panel and select the SOURCE CODE tab to view all scanned source code repositories.

For every source code repository, you can view the information, such as repository name or URL, number of assets, hostname or IP address, and violations.

• Click VIEW with the assets count to access all the cryptographic assets in the list view.

• Click the violations count or icon to view the associated violations.

6.1 Filter Resources in Source Code List View

In the list view, you can filter the resources using the Search field with the following criteria and available values:

• Repository Name/URL

• Asset Violation: Using Non-compliant Asset, Using Quantum Vulnerable Asset

• Host Name / IP Address

• Asset Count: <, >, =

You can use a combination of the above filter options to display the data with specific results.

6.2 View Source Code Resource Details

Click a repository name or URL in the resources list to view its properties and associated violations.

• The RESOURCE DETAILS tab includes the following:

  • Resource Configurations: This section displays the repository specifications, such as repository name and branch name.

  • Cryptographic Assets Discovered: This section displays the count of total assets discovered during the scan. Click VIEW or the asset count to navigate to the cryptographic assets list page with the appropriate filter applied.

• The VIOLATIONS tab displays any violations linked to the cryptographic asset. These violations may include issues such as using non-compliant assets and quantum vulnerable assets. Click VIEW ASSETS to navigate to the cryptographic assets list page with the appropriate filter applied.

  

7.0 Cryptographic Assets

After onboarding an on-premises connection with source code repositories, you can navigate to the SOURCE CODE tab under Cryptographic Assets in the Fortanix Key Insight left navigation panel to view all scanned cryptographic assets from those repositories..

For every on-premises repository, the table displays the cryptographic unique reference ID, asset name, asset type, and violations. Click the violations count or icon to view the associated violations.

7.1 Filter Cryptographic Assets

In the list view, you can filter the cryptographic assets using the Search field with the following criteria and available values:

• Unique Reference ID

• Asset Name

• Asset Type: Algorithm, Protocol, Certificate, Private key, Public key, Secret key, Key, Ciphertext, Signature, Digest, Initialization Vector, Nonce, Seed, SALT, Shared Secret, Tag, Additional Data, Password, Credential, Token, Other, Unknown

• Asset Violation: Non-compliant Asset, Quantum Vulnerable

• Location

• Repository Name/URL

You can use a combination of the different filter attributes to display the data with specific results.

7.2 Export Cryptographic Assets Data

For steps to export the cryptographic assets data, refer to Section 8.0: Scanned Data Export.

7.3 View Cryptographic Assets Details

Click any unique reference ID of the cryptographic asset in the list to view its properties and associated violations.

• The CRYPTOGRAPHIC ASSET DETAILS tab includes the following details:

  • Cryptographic Asset Properties: This section displays the specifications, such as the unique reference ID (BOM reference), asset name, asset type, and repository name or URL.

  • Associated Locations: This section identifies the location of the cryptographic asset within the repository, including the line number where it appears  and the offset, which indicates its exact position within that line. You can copy a location if needed. Click View More to see all locations.

• The VIOLATIONS tab displays any violations associated with the cryptographic asset. These violations may include issues such as non-compliant assets and PQC vulnerable.

  

8.0 Scanned Data Export

This feature allows you to export the scanned cryptographic assets and resource-related data from Fortanix Key Insight in Comma-Separated Values (CSV) format. Also, it provides flexibility, enabling you to download data for detailed analysis, audits, or reporting, and to access real-time status.

In the on-premises resources and cryptographic assets list view, you can click EXPORT to export the scanned data using any of the available options:

• Export current page: Use this option to export all column data from the current page in CSV format.

  NOTE

  You can download a maximum of 100 items at a time, based on the settings specified in the Items per page drop down.

• Export all raw data: Use this option to export all scanned data in CSV format. Review the details in the Export All Raw Data dialog box and click PROCEED to start the export.

  After the export process begins, you can track its progress. The export status will be logged with a message under the Activities tab in Fortanix Key Insight. For more information, refer to Section 8.1: Manage Export Activities.

• Export selected rows: This option is disabled by default. You can select the checkbox () next to the required rows on the current page and then use this option to export only those rows in CSV format.

NOTE

• Users with the Account Administrator and Group Administrator roles can only perform the scanned data export.

• Within the same account, you can have multiple exports running simultaneously from different cloud and on-premises connections.

8.1 Manage Export Activities

After you initiate the export process using Export All Raw Data, you can track the export status in the Activities tab located in the left navigation pane of Fortanix Key Insight.

You can see the following details for each export:

• Name of the activity.

• Name of the file.

• Activity status: This indicates the current state of the data export. This can be,

  • Completed: The data export has been completed, and the CSV file will automatically download to the location specified on your local machine.

  • In Progress: The data export is in progress, and you can cancel it using if required.

  • Cancelled: The data export was cancelled, either manually or due to switching accounts while the export was in progress.

  • Failed: The data export did not complete successfully due to errors.  

• Name of the connection

• Export creation date and time

NOTE

• If you switch to a different account during export, the export will be cancelled and logged in the Activities tab.

• If you navigate to a different solution (for example, Fortanix Identity and Access Management (IAM)), the export will continue, but no logs will appear in the Activities tab. The export status will be confirmed using toast a message.

• If you refresh the web page during the export, the confirmation dialog box will appear. If you refresh, the export will be cancelled, and all entries in the Activities tab will be removed. To avoid this, do not refresh the page during the export.