Skip to main content

File Stream workflows

Managing your software packages on the File Stream page of the Portal is possible for every package uploaded and analyzed by your groups.

After a software package has been analyzed, you can access its Actions menu from the right-hand side of the Software table. From the Actions menu, you can do the following:

  1. Move to Project
  2. View Report
  3. Reanalyze
  4. Download File
  5. Delete File
  6. Approve/Reject

The availability of these actions depends on the user role you were assigned.

Move a file to a projectโ€‹

Who can do this: Org Admin, Group Owner, Maintainer

To preserve your files, you can move them from the File Stream to the Projects page. Before moving the file, you have to associate it with a project and a package, so that you can manage it as any other package version.

WARNING

When there's already a maximum number of versions inside a package (12), the oldest package version by upload date will be removed.


To move a package version from the File Stream, select Move to Project from the Actions menu. In the dialog that opens, you have to complete the following four steps:

  1. Select Project, where you can either select an existing project from the dropdown or create a new one if the project you searched for does not yet exist
  2. Select Package, where you can select an existing package from the dropdown. If the package you searched for does not yet exist, you can create a new one
  3. Software Info, where you can edit the same information about your software package that you need to enter when you're uploading it directly to the Projects page. The Is Released checkbox is not marked by default. All fields except for Version are automatically filled. The Derived field takes the last successfully uploaded version as its value. This field is available only when you're moving your file to a package that already contains at least one version.
  4. Overview, where you can once again check all the information on the package version you're moving, including its target location

You can switch back and forth between the steps by selecting them at the top of the dialog. This allows you to change any information on the package version up until you finish the process of moving your file to a desired project.

When all the steps are successfully completed, you can view your file inside the desired project and package on the Projects page. Upon move, this file is automatically reanalyzed without influencing your analysis capacity to ensure it is in sync with other package versions and to create diffs. Note that the file you moved is shown at the top of the list of package versions because it was uploaded last.

View a reportโ€‹

Who can do this: All roles

You can view the SAFE report for a software package either from the Info dropdown or from the Actions menu at the end of each Software table row. Another way to access the report is by selecting the name of the software package from the table.

To better understand all the available options for accessing the report, use this interactive visualization.


For a detailed overview of the SAFE report contents, refer to the Report page.

Reanalyze a fileโ€‹

Who can do this: Org Admin, Group Owner, Maintainer, Group Member

You can reanalyze your software packages at any point in time from the Actions menu. However, the Portal will prompt you to reanalyze the file if your SAFE report is outdated when you attempt to view it. Reports can be outdated for the following reasons:

  • the Portal analysis engine has been updated since you uploaded your package
  • the organization policy profile has changed since you uploaded your package
  • the group policy profile has changed since you uploaded your package
NOTE

Sending a file to reanalysis does not affect the group capacity in any way.

Download a fileโ€‹

Who can do this: All roles

To download approved files in their original file formats, select the Export button in the banner of their report page.

If you want to download the approved file directly from the File Stream page, select the Download File button in the Actions menu. In the pop-up that opens, you can:

  • click the filename to complete the download action
  • view and copy the SHA256 file hash
  • select Close to cancel the download action

If the analysis capacity is exceeded, if file is not approved, or if you do not have the permission to approve files, selecting the Download File button results in an error. Only users with Organization Administrator, Orgnization Security, and Group Owner roles, which allow file approval, can download any file regardless of its approval status.

Delete a fileโ€‹

Who can do this: Org Admin, Group Owner, Maintainer, Group Member

You can delete any software package belonging to your groups from the Actions menu.


You should take into account that deleting the software package removes all its related metadata. Therefore, if you want to keep the reports of your deleted packages, you need to export them first.

NOTE

From the Report page, you can export the following:

  • SBOM, in either the CycloneDX or SPDX format
  • Issues, in the SARIF format
  • Vulnerabilities, in the RL-CVE format
  • Networking, in the RL-URI format

Approve or reject a fileโ€‹

Who can do this: Org Admin, Org Security, Group Owner

All Portal users can see the version approval status, but only users with the appropriate roles can approve, reject, or revoke approval for software packages.


By default, all software packages await approval when uploaded to the Portal. If you have the appropriate role and have thoroughly reviewed your software report after a scan, you can assign one of the following approval statuses to your software:

  1. Approved, when no policies have failed during analysis or when some policies did fail but you subsequently either accepted the potential risk or manually suppressed those policies
  2. Approval Rejected, when the software should be restricted from deployment since it poses a considerable risk to your organization even after all possible actions have been taken
  3. Approval Revoked, when:
    • the software has been incorrectly or inadvertently approved,
    • the software can be replaced by an alternate software (e.g. a later version) posing a lower security risk,
    • the policy configuration has been modified, or
    • a new threat impacting components of the software has been identified

From the Actions menu, you can approve only the software tagged as "Requires Approval" or "Approval Rejected". Once you update the approval status for the software, you cannot change it back to "Requires Approval". Any change in approval status requires you to state a valid reason to support your choice.

When you approve software, it can be downloaded by any Portal user and its approval can be revoked at any moment. If you revoked the software approval, Portal users can neither reapprove it nor download it. This kind of software should be removed from the production environment to avoid future use.

You can only reject the software that has not been approved yet. If you already rejected the software but you want to change the rejection reason, you need to reject it again with a new reason.