Skip to main content

Automated Source Control Feedback

Sonatype Lifecycle provides policy violation information directly in your Source Control Management System. This lets developers find out about policy violations during the code development process.

The policy violation information includes policy evaluation summaries on new pull requests, comments on your pull requests, and opening new pull requests. Learn more about each feature below:

Feature

Description

Policy Evaluation Summaries
  • Performs a Policy Analysis on new Pull Requests.

  • This is a Status Check, Build Check, or Pipeline step depending on your source control provider.

  • Optionally set as required to merge the pull request.

Pull Request Commenting
  • Comments on a pull request when the request introduces a new policy violation.

  • The comment will identify the component introducing the violation.

Pull Request Line Commenting
  • Comments on the specific line of code introducing a new policy violation in a pull request.

  • Available for Maven, Go, npm and Gradle.

Automatic Pull Requests
  • Opens a new pull request to update the dependency to a version without a policy violation.

  • Available in npm, Maven, Gradle, and Go.

Prerequisites

All features require the Lifecycle Application is configured with an Access token and repository URL.

The table below identifies where features can be enabled and disabled:

Feature

Automatic Pull Requests

Automated Commit Feedback

Pull Request Commenting

Pull Request Line Commenting

Configuration

Configured at the Organization

Configured in SCM Provider.

Configured at the Organization

Enabled when Pull Request Commenting is enabled.

Automated PRs for InnerSource Components

This feature ensures that applications are always current with the latest compatible version of InnerSource components and benefit from the continuous improvements.

When a new non-major version of an InnerSource component is detected during evaluation of an application at the release stage, automated pull requests to update the older version of the InnerSource component are created in the SCM system.

No Automated PRs for Policy Violations

Automated PRs will not be created for policy violations related to InnerSource Components. They will only be created if a version change is detected.

Prerequisites

The prerequisites for enabling automated PRs to update InnerSource components are:

  1. The Automated InnerSource Updates feature is enabled in Lifecycle.

  2. Lifecycle is correctly configured with your SCM system using the Source Control settings.

When is an Automated PR for InnerSource Created

An automated PR to update an InnerSource component will be created when:

  1. A new version of an InnerSource component is detected at the release stage during evaluation of the application

  2. The new InnerSource version is not a major version upgrade

  3. The InnerSource component is being used as a direct dependency in the application

The detection of a new version of the InnerSource component will automatically create a PR in the configured SCM system, to update the older version of the component with the new version.

Steps to Configure Automated PR for InnerSource Updates

  1. Click on Orgs and Policies in the left navigation bar.

  2. Select the root org or the organization or application for which you want to configure the automated PRs.

    step_1_autoPR.png
  3. Set Automated InnerSource Updates to Enabled.

    small_InnerSource_Configuration.png

Sample of an Automated PR

The example below shows an automated PR for an InnerSource component created in GitHub.

The latest application evaluation detected a new version (0.8.5) of the InnerSource component com.github.vandeseer:easytable at the release stage. This automatically created a PR in GitHub to update the older version (0.6.6).

AutoPr_for_InnerSource.jpg