How to Use the Security Plugin in the DevPortal

Overview

The Security Insights plugin was developed to centralize and display security vulnerability data (CVEs) extracted during pipeline executions in GitHub or GitLab repositories. This guide explains how to install, configure, and use the plugin within the Veecode DevPortal platform.

Benefits

Centralized vulnerability data directly in the DevPortal.
Integration with tools like Trivy, which export reports in .sarif or .json formats.
Interactive dashboards for security, engineering, and DevOps teams.
Filters by severity, repository, branch, and more.

Requirements

Pipeline configured with Trivy Scan (or another tool that generates .sarif or .json reports).
Repository imported and registered in the DevPortal.
GitHub or GitLab Org data configured.

https://backstage.io/docs/integrations/github/org

https://backstage.io/docs/integrations/gitlab/org
Vulnerabilities plugin enabled in the catalog rules:

catalog:
  rules:
    - allow: [Component, API, Location, Cluster, Template, Environment, Database, Vault, Infracost, Group, User, Vulnerabilities]

Installation

To install the Security Insights plugin, follow these steps:

yarn --cwd packages/backend add @veecode-platform/backstage-plugin-vulnerabilities

Accessing the Plugin

You can access Security Insights through three different paths in the DevPortal:

1. Security Insights (Component View)

Path: Component page → Security Insights tab

Displays all CVEs found in that specific component.
Free text filter across all fields.
Branch selector to switch views.

2. Consolidated Dashboard (Security Dashboard)

Path: Side menu → Security Dashboard → Route /security-dashboard

Table listing all registered projects.
Vulnerability count by severity (Low, Medium, High, Critical).
Filters by:
- Severity
- Organization
- Team

3. All CVEs (Detailed Explorer)

Within the consolidated view

Complete list of all stored CVEs.
Filters by:
- CVE ID
- Severity
- Description
Shows affected repositories.

Basic Usage Flow

Import your repository into the DevPortal.
Run the CI/CD pipeline with vulnerability scanning enabled.
Ensure the .sarif or .json report is generated and integrated into the DevPortal.
Access the Security Insights tab on the component page.
Use the Security Dashboard for an overview and centralized vulnerability analysis.

Visual Interfaces

Security Insights (per project): detailed view per component.
Security Dashboard: consolidated view with aggregated data.
All CVEs: complete view for querying and filtering vulnerabilities.

Overview​

Benefits​

Requirements​

Installation​

Accessing the Plugin​

1. Security Insights (Component View)​

2. Consolidated Dashboard (Security Dashboard)​

3. All CVEs (Detailed Explorer)​

Basic Usage Flow​

Visual Interfaces​