Supply Chain Monitoring

This section indicates the increase or decrease in the number of applications being managed by Lifecycle, It provides a comparison of the number of applications being scanned and evaluated against Lifecycle policies in the current and previous time periods.

Minimum Data Requirements for Meaningful Metrics: No minimum

To improve this score, refer to Application Onboarding Best Practices.

Risk Ratio is the average number of critical vulnerabilities per application per time period. It provides a comparison of the risk ratio measured in the current and previous time periods.

Minimum Data Requirements for Meaningful Metrics: No minimum

To improve this score, refer to Remediate and Reduce Security Risks.

Scan Rate indicates the average no. of scans per application in one month. It provides a comparison of the scanning rate measured in the current and previous time periods.

Minimum Data Requirements for Meaningful Metrics: Data for at least 45 days

To improve this score, refer to Improve Scanning Rate.

Scanning Coverage indicates the percentage of applications scanned in build, stage-release, release or operate stage, at least once per week. It compares the current scanning coverage to the previous, to indicate if the recommended best practice of scanning applications at least once per week, has improved or declined.

Minimum Data Requirements for Meaningful Metrics: Data for at least 45 days

To improve this score, refer to Improve Scanning Coverage.

Discovery Rate indicates the number of critical vulnerabilities detected by Lifecycle in the specified time period. It compares the current discovery rate to the previous. An increase in the discovery rate means that teams need to reconsider their component choices or consider applying waivers. A decrease in the discovery rate indicates that the component choices are getting better.

Minimum Data Requirements for Meaningful Metrics: Data for at least 45 days

To improve this score, refer to Use Safer Components.

Fixing Rate indicates the percentage of critical vulnerabilities fixed per application in the specified time period. It compares the current Fixing Rate to the previous to indicate an improvement or decline in the teams efforts of addressing critical vulnerabilities.

Minimum Data Requirements for Meaningful Metrics: Data for at least 45 days

To improve this score, refer to Remediating Vulnerabilties.

Backlog Rate is the ratio of critical vulnerabilities fixed to critical vulnerabilities detected during the specified time period.

A Backlog Health score below 100 indicates that remediation is slower than the discovery rate.

Minimum Data Requirements for Meaningful Metrics: Data for at least 45 days

To improve this score, refer to Improve Backlog Rate.