From 299072a735f1f56c66926b241493ab5ebb746255 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cl=C3=A1udia?= Date: Mon, 22 Jun 2026 16:00:46 +0100 Subject: [PATCH 1/9] =?UTF-8?q?docs:=20expand=20proactive=20SCA=20section?= =?UTF-8?q?=20=E2=80=94=20Trivy=20prerequisite,=20setup=20paths,=20and=20d?= =?UTF-8?q?eep-link=20anchor?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Replaces the single-line Trivy note with a full explanation of how proactive SCA nightly scans work, what's required (Trivy tool + vulnerability patterns), both setup paths (coding standard / per-repo), and the silent failure case when only the tool is enabled. Adds a new H4 subsection with anchor #proactive-sca-requirements so Phase 2 CTAs (Dependency Explorer empty state OD-143, partial coverage banner OD-144) can deep-link directly to the prerequisite content. Closes OD-139 Co-Authored-By: Claude Sonnet 4.6 --- .../managing-security-and-risk.md | 24 +++++++++++++++---- 1 file changed, 19 insertions(+), 5 deletions(-) diff --git a/docs/organizations/managing-security-and-risk.md b/docs/organizations/managing-security-and-risk.md index 7d2cfd1e6a..7df02ff218 100644 --- a/docs/organizations/managing-security-and-risk.md +++ b/docs/organizations/managing-security-and-risk.md @@ -189,15 +189,29 @@ Codacy closes a finding in either of the following cases: ### How Codacy manages findings detected during software composition analysis (SCA) {: id="opening-and-closing-sca-items"} -!!! note - To make sure that Codacy detects dependency issues correctly, [enable code patterns](../repositories-configure/configuring-code-patterns.md) belonging to the Trivy tool. +Vulnerable dependencies are a specific Git repository finding. Codacy opens a finding whenever a commit to the default branch is analyzed and a vulnerable dependency is detected. + +If your organization has proactive SCA enabled, Codacy also runs a nightly scan of all repositories — so newly discovered vulnerabilities are surfaced even without a new commit. + +!!! important + The proactive SCA scanning is a Business tier feature. If you are a Codacy Pro customer interested in upgrading to gain access to this feature, [talk to us](https://start-chat.com/slack/codacy/rmbTzb). -Vulnerable dependencies are a specific GIT repository finding. Similarly to other repository findings, Codacy opens an issue whenever a commit is analyzed. +#### Trivy requirements for proactive SCA {: id="proactive-sca-requirements"} -Additionally, Codacy scans your codebase every evening to see if it's affected by any newly discovered vulnerabilities. +Proactive SCA uses **Trivy** as its scanning tool. For nightly scans to produce results on a repository, **both** conditions must be met: + +1. The **Trivy tool** is enabled — either through a [coding standard](using-coding-standards.md) applied to the repository, or directly via the repository's [Code patterns settings](../repositories-configure/configuring-code-patterns.md). +2. At least one **Trivy vulnerability pattern** is enabled: `Trivy_vulnerability_critical`, `Trivy_vulnerability_high`, `Trivy_vulnerability_medium`, `Trivy_vulnerability_minor`, or `Trivy_malicious_packages`. !!! important - The proactive SCA scanning is a business tier feature. If you are a Codacy Pro customer interested in upgrading to gain access to this feature, reach out to our customer success team. + Enabling the Trivy tool alone is not sufficient. If no vulnerability patterns are active, the nightly scan runs but produces no findings, and the [Dependencies](#dependencies-list) page shows no data. + +To enable Trivy across your organization, you can: + +- **Recommended — via coding standard:** [Add Trivy to a coding standard](using-coding-standards.md), enable its vulnerability patterns in the standard configuration, and apply the standard to your repositories. This covers all linked repositories in one step. +- **Per repository:** Open each repository's [Code patterns page](../repositories-configure/configuring-code-patterns.md), enable the Trivy tool, and enable the relevant vulnerability patterns. + +After enabling Trivy, nightly scans run automatically. Results appear in the [Dependencies](#dependencies-list) tab and the [Findings](#item-list) page after the nightly scan completes. ### How Codacy manages findings detected on Jira {: id="opening-and-closing-jira-items"} From 0f8cbe0a7e446e3841fb45fbbe3e8d985b0f9104 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cl=C3=A1udia?= Date: Mon, 22 Jun 2026 16:05:25 +0100 Subject: [PATCH 2/9] =?UTF-8?q?docs:=20remove=20redundant=20admonition=20?= =?UTF-8?q?=E2=80=94=20requirements=20list=20is=20self-evident?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-Authored-By: Claude Sonnet 4.6 --- docs/organizations/managing-security-and-risk.md | 3 --- 1 file changed, 3 deletions(-) diff --git a/docs/organizations/managing-security-and-risk.md b/docs/organizations/managing-security-and-risk.md index 7df02ff218..fc1140e938 100644 --- a/docs/organizations/managing-security-and-risk.md +++ b/docs/organizations/managing-security-and-risk.md @@ -203,9 +203,6 @@ Proactive SCA uses **Trivy** as its scanning tool. For nightly scans to produce 1. The **Trivy tool** is enabled — either through a [coding standard](using-coding-standards.md) applied to the repository, or directly via the repository's [Code patterns settings](../repositories-configure/configuring-code-patterns.md). 2. At least one **Trivy vulnerability pattern** is enabled: `Trivy_vulnerability_critical`, `Trivy_vulnerability_high`, `Trivy_vulnerability_medium`, `Trivy_vulnerability_minor`, or `Trivy_malicious_packages`. -!!! important - Enabling the Trivy tool alone is not sufficient. If no vulnerability patterns are active, the nightly scan runs but produces no findings, and the [Dependencies](#dependencies-list) page shows no data. - To enable Trivy across your organization, you can: - **Recommended — via coding standard:** [Add Trivy to a coding standard](using-coding-standards.md), enable its vulnerability patterns in the standard configuration, and apply the standard to your repositories. This covers all linked repositories in one step. From a36a338c457c2c8483eb8e1914a083d8e7f611df Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cl=C3=A1udia?= Date: Mon, 22 Jun 2026 16:10:04 +0100 Subject: [PATCH 3/9] docs: rework SCA intro, remove inaccurate last sentence, add Dependencies cross-link MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Lead with what SCA findings are (dependency vulnerabilities) before explaining the daily re-scan feature - Use "daily re-scans" (matches pricing page "Daily SCA and Malicious Package re-scans") and drop "nightly" / "every evening" inconsistency - Remove inaccurate closing sentence — nightly scans always run for SCA-enabled orgs; enabling Trivy makes them produce results, not start - Add cross-reference in the Dependencies section pointing to #proactive-sca-requirements so there's a path in both directions Co-Authored-By: Claude Sonnet 4.6 --- docs/organizations/managing-security-and-risk.md | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/docs/organizations/managing-security-and-risk.md b/docs/organizations/managing-security-and-risk.md index fc1140e938..6b7ae6e0c8 100644 --- a/docs/organizations/managing-security-and-risk.md +++ b/docs/organizations/managing-security-and-risk.md @@ -189,16 +189,16 @@ Codacy closes a finding in either of the following cases: ### How Codacy manages findings detected during software composition analysis (SCA) {: id="opening-and-closing-sca-items"} -Vulnerable dependencies are a specific Git repository finding. Codacy opens a finding whenever a commit to the default branch is analyzed and a vulnerable dependency is detected. +SCA findings detect known vulnerabilities in the third-party dependencies used by your repositories. Codacy opens a finding whenever a commit to the default branch is analyzed and a vulnerable dependency is detected. -If your organization has proactive SCA enabled, Codacy also runs a nightly scan of all repositories — so newly discovered vulnerabilities are surfaced even without a new commit. +On the Business plan, Codacy also runs daily re-scans across all repositories — so newly discovered vulnerabilities are surfaced even without a new commit. Results are visible on the [Findings](#item-list) page and in the [Dependencies](#dependencies-list) tab. !!! important The proactive SCA scanning is a Business tier feature. If you are a Codacy Pro customer interested in upgrading to gain access to this feature, [talk to us](https://start-chat.com/slack/codacy/rmbTzb). #### Trivy requirements for proactive SCA {: id="proactive-sca-requirements"} -Proactive SCA uses **Trivy** as its scanning tool. For nightly scans to produce results on a repository, **both** conditions must be met: +Proactive SCA uses **Trivy** as its scanning tool. For daily re-scans to produce results on a repository, **both** conditions must be met: 1. The **Trivy tool** is enabled — either through a [coding standard](using-coding-standards.md) applied to the repository, or directly via the repository's [Code patterns settings](../repositories-configure/configuring-code-patterns.md). 2. At least one **Trivy vulnerability pattern** is enabled: `Trivy_vulnerability_critical`, `Trivy_vulnerability_high`, `Trivy_vulnerability_medium`, `Trivy_vulnerability_minor`, or `Trivy_malicious_packages`. @@ -208,8 +208,6 @@ To enable Trivy across your organization, you can: - **Recommended — via coding standard:** [Add Trivy to a coding standard](using-coding-standards.md), enable its vulnerability patterns in the standard configuration, and apply the standard to your repositories. This covers all linked repositories in one step. - **Per repository:** Open each repository's [Code patterns page](../repositories-configure/configuring-code-patterns.md), enable the Trivy tool, and enable the relevant vulnerability patterns. -After enabling Trivy, nightly scans run automatically. Results appear in the [Dependencies](#dependencies-list) tab and the [Findings](#item-list) page after the nightly scan completes. - ### How Codacy manages findings detected on Jira {: id="opening-and-closing-jira-items"} @@ -583,7 +581,7 @@ Security and risk management supports checking the languages and infrastructure- The dependency tab is a business-tier feature. If you are a Codacy Pro customer interested in upgrading to gain access to this feature, contact our customer success team. -The **Security and risk management Dependencies** page displays a unified view of all dependencies used by your repositories. +The **Security and risk management Dependencies** page displays a unified view of all dependencies used by your repositories. Data is populated by Codacy's daily SCA re-scans — for results to appear, [Trivy must be enabled with vulnerability patterns](#proactive-sca-requirements) on each repository. To access the dependencies page, access the [overview page](#dashboard) and click the **Dependencies** tab. From 23086088f57926a455d459275ef7147db61a9413 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cl=C3=A1udia?= Date: Mon, 22 Jun 2026 16:14:02 +0100 Subject: [PATCH 4/9] =?UTF-8?q?docs:=20fix=20Business=20tier=20=E2=86=92?= =?UTF-8?q?=20business-tier=20(hyphen,=20consistent=20with=20rest=20of=20f?= =?UTF-8?q?ile)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-Authored-By: Claude Sonnet 4.6 --- docs/organizations/managing-security-and-risk.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/organizations/managing-security-and-risk.md b/docs/organizations/managing-security-and-risk.md index 6b7ae6e0c8..dbf2ebe9dd 100644 --- a/docs/organizations/managing-security-and-risk.md +++ b/docs/organizations/managing-security-and-risk.md @@ -194,7 +194,7 @@ SCA findings detect known vulnerabilities in the third-party dependencies used b On the Business plan, Codacy also runs daily re-scans across all repositories — so newly discovered vulnerabilities are surfaced even without a new commit. Results are visible on the [Findings](#item-list) page and in the [Dependencies](#dependencies-list) tab. !!! important - The proactive SCA scanning is a Business tier feature. If you are a Codacy Pro customer interested in upgrading to gain access to this feature, [talk to us](https://start-chat.com/slack/codacy/rmbTzb). + The proactive SCA scanning is a business-tier feature. If you are a Codacy Pro customer interested in upgrading to gain access to this feature, [talk to us](https://start-chat.com/slack/codacy/rmbTzb). #### Trivy requirements for proactive SCA {: id="proactive-sca-requirements"} From c276b6550debb2442af5ff2ea936b4bb8356bd24 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cl=C3=A1udia?= Date: Mon, 22 Jun 2026 16:23:48 +0100 Subject: [PATCH 5/9] docs: fold upgrade CTA inline, expand pattern list to sub-bullets Removes the orange Important admonition that was breaking the reading flow. The business-tier note is now a single inline sentence at the end of the daily re-scans paragraph. Pattern IDs moved to sub-bullets for readability. Co-Authored-By: Claude Sonnet 4.6 --- docs/organizations/managing-security-and-risk.md | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/docs/organizations/managing-security-and-risk.md b/docs/organizations/managing-security-and-risk.md index dbf2ebe9dd..a4034ded3b 100644 --- a/docs/organizations/managing-security-and-risk.md +++ b/docs/organizations/managing-security-and-risk.md @@ -191,17 +191,19 @@ Codacy closes a finding in either of the following cases: SCA findings detect known vulnerabilities in the third-party dependencies used by your repositories. Codacy opens a finding whenever a commit to the default branch is analyzed and a vulnerable dependency is detected. -On the Business plan, Codacy also runs daily re-scans across all repositories — so newly discovered vulnerabilities are surfaced even without a new commit. Results are visible on the [Findings](#item-list) page and in the [Dependencies](#dependencies-list) tab. - -!!! important - The proactive SCA scanning is a business-tier feature. If you are a Codacy Pro customer interested in upgrading to gain access to this feature, [talk to us](https://start-chat.com/slack/codacy/rmbTzb). +On the Business plan, Codacy also runs daily re-scans across all repositories — so newly discovered vulnerabilities are surfaced even without a new commit. Results are visible on the [Findings](#item-list) page and in the [Dependencies](#dependencies-list) tab. [Talk to us](https://start-chat.com/slack/codacy/rmbTzb) if you're interested in upgrading. #### Trivy requirements for proactive SCA {: id="proactive-sca-requirements"} Proactive SCA uses **Trivy** as its scanning tool. For daily re-scans to produce results on a repository, **both** conditions must be met: 1. The **Trivy tool** is enabled — either through a [coding standard](using-coding-standards.md) applied to the repository, or directly via the repository's [Code patterns settings](../repositories-configure/configuring-code-patterns.md). -2. At least one **Trivy vulnerability pattern** is enabled: `Trivy_vulnerability_critical`, `Trivy_vulnerability_high`, `Trivy_vulnerability_medium`, `Trivy_vulnerability_minor`, or `Trivy_malicious_packages`. +2. At least one **Trivy vulnerability pattern** is enabled: + - `Trivy_vulnerability_critical` + - `Trivy_vulnerability_high` + - `Trivy_vulnerability_medium` + - `Trivy_vulnerability_minor` + - `Trivy_malicious_packages` To enable Trivy across your organization, you can: From 3377f2470aa8321414093bf6fb50cc51e7a0cb51 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cl=C3=A1udia?= Date: Mon, 22 Jun 2026 16:28:56 +0100 Subject: [PATCH 6/9] docs: move Trivy requirements to Dependencies section, collapse SCA findings subsection MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit SCA findings behave identically to other git findings — no separate lifecycle documentation needed. The unique part (daily re-scans + Trivy requirements) belongs with Dependencies, where an admin with an empty tab will look for help. - SCA findings subsection: collapsed to 2 sentences + link to #proactive-sca-requirements - Trivy requirements block: moved from H4 under Findings to H3 under Dependencies, anchor preserved for Phase 2 CTA deep-links (OD-143, OD-144) - Dependencies upgrade CTA: updated to use Knock link for consistency Co-Authored-By: Claude Sonnet 4.6 --- .../managing-security-and-risk.md | 41 +++++++++---------- 1 file changed, 20 insertions(+), 21 deletions(-) diff --git a/docs/organizations/managing-security-and-risk.md b/docs/organizations/managing-security-and-risk.md index a4034ded3b..b874e7739d 100644 --- a/docs/organizations/managing-security-and-risk.md +++ b/docs/organizations/managing-security-and-risk.md @@ -189,26 +189,9 @@ Codacy closes a finding in either of the following cases: ### How Codacy manages findings detected during software composition analysis (SCA) {: id="opening-and-closing-sca-items"} -SCA findings detect known vulnerabilities in the third-party dependencies used by your repositories. Codacy opens a finding whenever a commit to the default branch is analyzed and a vulnerable dependency is detected. +SCA findings behave like other Git repository findings. Codacy opens a finding whenever a commit to the default branch is analyzed and a vulnerable dependency is detected, and closes it when the dependency is no longer detected. -On the Business plan, Codacy also runs daily re-scans across all repositories — so newly discovered vulnerabilities are surfaced even without a new commit. Results are visible on the [Findings](#item-list) page and in the [Dependencies](#dependencies-list) tab. [Talk to us](https://start-chat.com/slack/codacy/rmbTzb) if you're interested in upgrading. - -#### Trivy requirements for proactive SCA {: id="proactive-sca-requirements"} - -Proactive SCA uses **Trivy** as its scanning tool. For daily re-scans to produce results on a repository, **both** conditions must be met: - -1. The **Trivy tool** is enabled — either through a [coding standard](using-coding-standards.md) applied to the repository, or directly via the repository's [Code patterns settings](../repositories-configure/configuring-code-patterns.md). -2. At least one **Trivy vulnerability pattern** is enabled: - - `Trivy_vulnerability_critical` - - `Trivy_vulnerability_high` - - `Trivy_vulnerability_medium` - - `Trivy_vulnerability_minor` - - `Trivy_malicious_packages` - -To enable Trivy across your organization, you can: - -- **Recommended — via coding standard:** [Add Trivy to a coding standard](using-coding-standards.md), enable its vulnerability patterns in the standard configuration, and apply the standard to your repositories. This covers all linked repositories in one step. -- **Per repository:** Open each repository's [Code patterns page](../repositories-configure/configuring-code-patterns.md), enable the Trivy tool, and enable the relevant vulnerability patterns. +On the Business plan, Codacy also runs [daily re-scans](#proactive-sca-requirements) across all repositories — so newly discovered vulnerabilities are surfaced even without a new commit. [Talk to us](https://start-chat.com/slack/codacy/rmbTzb) if you're interested in upgrading. ### How Codacy manages findings detected on Jira {: id="opening-and-closing-jira-items"} @@ -580,10 +563,26 @@ Security and risk management supports checking the languages and infrastructure- ## Dependencies {: id="dependencies-list"} !!! important - The dependency tab is a business-tier feature. If you are a Codacy Pro customer interested in upgrading to gain access to this feature, contact our customer success team. + The dependency tab is a business-tier feature. If you are a Codacy Pro customer interested in upgrading to gain access to this feature, [talk to us](https://start-chat.com/slack/codacy/rmbTzb). +The **Security and risk management Dependencies** page displays a unified view of all dependencies used by your repositories, populated by Codacy's daily SCA re-scans. -The **Security and risk management Dependencies** page displays a unified view of all dependencies used by your repositories. Data is populated by Codacy's daily SCA re-scans — for results to appear, [Trivy must be enabled with vulnerability patterns](#proactive-sca-requirements) on each repository. +### Daily re-scan requirements {: id="proactive-sca-requirements"} + +Proactive SCA uses **Trivy** as its scanning tool. For daily re-scans to produce results on a repository, **both** conditions must be met: + +1. The **Trivy tool** is enabled — either through a [coding standard](using-coding-standards.md) applied to the repository, or directly via the repository's [Code patterns settings](../repositories-configure/configuring-code-patterns.md). +2. At least one **Trivy vulnerability pattern** is enabled: + - `Trivy_vulnerability_critical` + - `Trivy_vulnerability_high` + - `Trivy_vulnerability_medium` + - `Trivy_vulnerability_minor` + - `Trivy_malicious_packages` + +To enable Trivy across your organization, you can: + +- **Recommended — via coding standard:** [Add Trivy to a coding standard](using-coding-standards.md), enable its vulnerability patterns in the standard configuration, and apply the standard to your repositories. This covers all linked repositories in one step. +- **Per repository:** Open each repository's [Code patterns page](../repositories-configure/configuring-code-patterns.md), enable the Trivy tool, and enable the relevant vulnerability patterns. To access the dependencies page, access the [overview page](#dashboard) and click the **Dependencies** tab. From d5d6ad1f21961f0e7f14e14074185b077012c139 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cl=C3=A1udia?= Date: Mon, 22 Jun 2026 16:34:25 +0100 Subject: [PATCH 7/9] docs: move page access instruction before requirements subsection Co-Authored-By: Claude Sonnet 4.6 --- docs/organizations/managing-security-and-risk.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/organizations/managing-security-and-risk.md b/docs/organizations/managing-security-and-risk.md index b874e7739d..aad290f246 100644 --- a/docs/organizations/managing-security-and-risk.md +++ b/docs/organizations/managing-security-and-risk.md @@ -567,6 +567,8 @@ Security and risk management supports checking the languages and infrastructure- The **Security and risk management Dependencies** page displays a unified view of all dependencies used by your repositories, populated by Codacy's daily SCA re-scans. +To access the dependencies page, access the [overview page](#dashboard) and click the **Dependencies** tab. + ### Daily re-scan requirements {: id="proactive-sca-requirements"} Proactive SCA uses **Trivy** as its scanning tool. For daily re-scans to produce results on a repository, **both** conditions must be met: @@ -584,8 +586,6 @@ To enable Trivy across your organization, you can: - **Recommended — via coding standard:** [Add Trivy to a coding standard](using-coding-standards.md), enable its vulnerability patterns in the standard configuration, and apply the standard to your repositories. This covers all linked repositories in one step. - **Per repository:** Open each repository's [Code patterns page](../repositories-configure/configuring-code-patterns.md), enable the Trivy tool, and enable the relevant vulnerability patterns. -To access the dependencies page, access the [overview page](#dashboard) and click the **Dependencies** tab. - ![Security and risk management dependencies page](images/security-risk-management-dependencies-list.png) When viewing dependencies, you'll be presented with a list of the dependencies used by all repositories in your organization. For each dependency, you'll be able to see how many repositories are making use of it, how many different versions you are using across all repositories, and how many security findings were found due to the presence of that dependency. From 0a149b30dda6fdc909b20d512d7fc472df2d9453 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cl=C3=A1udia?= Date: Mon, 22 Jun 2026 16:37:20 +0100 Subject: [PATCH 8/9] Revert "docs: move page access instruction before requirements subsection" This reverts commit d5d6ad1f21961f0e7f14e14074185b077012c139. --- docs/organizations/managing-security-and-risk.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/organizations/managing-security-and-risk.md b/docs/organizations/managing-security-and-risk.md index aad290f246..b874e7739d 100644 --- a/docs/organizations/managing-security-and-risk.md +++ b/docs/organizations/managing-security-and-risk.md @@ -567,8 +567,6 @@ Security and risk management supports checking the languages and infrastructure- The **Security and risk management Dependencies** page displays a unified view of all dependencies used by your repositories, populated by Codacy's daily SCA re-scans. -To access the dependencies page, access the [overview page](#dashboard) and click the **Dependencies** tab. - ### Daily re-scan requirements {: id="proactive-sca-requirements"} Proactive SCA uses **Trivy** as its scanning tool. For daily re-scans to produce results on a repository, **both** conditions must be met: @@ -586,6 +584,8 @@ To enable Trivy across your organization, you can: - **Recommended — via coding standard:** [Add Trivy to a coding standard](using-coding-standards.md), enable its vulnerability patterns in the standard configuration, and apply the standard to your repositories. This covers all linked repositories in one step. - **Per repository:** Open each repository's [Code patterns page](../repositories-configure/configuring-code-patterns.md), enable the Trivy tool, and enable the relevant vulnerability patterns. +To access the dependencies page, access the [overview page](#dashboard) and click the **Dependencies** tab. + ![Security and risk management dependencies page](images/security-risk-management-dependencies-list.png) When viewing dependencies, you'll be presented with a list of the dependencies used by all repositories in your organization. For each dependency, you'll be able to see how many repositories are making use of it, how many different versions you are using across all repositories, and how many security findings were found due to the presence of that dependency. From 82a998518d8a0085d47d6f2fc6dd27df87cf938c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cl=C3=A1udia?= Date: Mon, 22 Jun 2026 16:39:35 +0100 Subject: [PATCH 9/9] docs: add 'Viewing your dependencies' heading before access sentence --- docs/organizations/managing-security-and-risk.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/organizations/managing-security-and-risk.md b/docs/organizations/managing-security-and-risk.md index b874e7739d..3d2b538da4 100644 --- a/docs/organizations/managing-security-and-risk.md +++ b/docs/organizations/managing-security-and-risk.md @@ -584,6 +584,8 @@ To enable Trivy across your organization, you can: - **Recommended — via coding standard:** [Add Trivy to a coding standard](using-coding-standards.md), enable its vulnerability patterns in the standard configuration, and apply the standard to your repositories. This covers all linked repositories in one step. - **Per repository:** Open each repository's [Code patterns page](../repositories-configure/configuring-code-patterns.md), enable the Trivy tool, and enable the relevant vulnerability patterns. +### Viewing your dependencies + To access the dependencies page, access the [overview page](#dashboard) and click the **Dependencies** tab. ![Security and risk management dependencies page](images/security-risk-management-dependencies-list.png)