Skip to main content

CI and CLI Integrations

Sonatype Lifecycle supports several CLI and CI integrations with its SCM Integration.

Sonatype CLI

Any application can be evaluated against your policies using the Sonatype CLI.

Instructions for Use

Run the nexus-iq-cli command within the git-cloned project folder. Sonatype for SCM will automatically discover the commit hash and repository URL from the git context and then send this information to Sonatype Lifecycle with the policy evaluation request.

The additional command output will print the repository and commit hash discovery information:

[INFO] Validating IQ Server version http://localhost:8070...
[INFO] Validating application ID test-app with the IQ Server http://localhost:8070...
[INFO] Discovered repository url 'https://github.com/my-org/my-repo' via jGit
[INFO] Discovered commit hash '00ac4dc1da4b8ce233df110cbd175ae85284b655' via jGit

You can set the GIT_DIR environment variable to the full path of the .git folder for the git cloned project if you are not running the command within a git cloned project folder,

You can pass in the commit hash with the nexus-iq-cli parameter --metadata If you do not have a git-cloned project. Use the following format to point to a file with the desired commit hash:

{"commitHash": "<git commit hash>"}

Sonatype CLI Docker Image

The Sonatype CLI is also available as a docker image at https://hub.docker.com/r/sonatype/nexus-iq-cli. The documentation there details how to use the image to perform an evaluation.

Sonatype Platform Plugin for Jenkins

Sonatype Platform Plugin for Jenkins scans a build workspace for components, creates a summary file about all the components found, and then submits that file to the IQ Server for a detailed policy evaluation. Lifecycle generates a detailed analysis of security information, license information, and other policy details. A summary of that report is sent to the Jenkins server to include in the build results.

Prerequisites

  • Version nexus-jenkins-plugin-3.8.20191204-084645.a4bff16 and higher

Instructions for Use

Run the Sonatype Platform Plugin for Jenkins. Sonatype for SCM will automatically discover the commit hash by reading the GIT_COMMIT environment variable. If the environment variable is not set, Sonatype for SCM will identify the commit hash by traversing the directory tree until it finds the .git folder.

An additional command output will print the commit hash discovery information in the Jenkins System Log:

...
Dec 20, 2019 4:45:53 PM FINE com.sonatype.nexus.git.utils.commit.AggregateCommitHashFinder tryGetCommitHash
Unable to find commit hash via environment variable GIT_COMMIT
Dec 20, 2019 4:45:53 PM INFO com.sonatype.nexus.git.utils.commit.AggregateCommitHashFinder tryGetCommitHash
Discovered commit hash '60638345c358694151de444fd63bfb02ca79ec8b' via jGit
...

Sonatype for GitLab CI

CI/CD pipeline jobs in GitLab use custom docker images to perform actions in GitLab project's build workspace. The GitLab Sonatype docker image provides the ability to run policy evaluations against build artifacts in GitLab. This produces a summary report with policy violation counts and a link to a detailed report on the IQ Server.

Prerequisites

  • Version release-1.2 and higher

Instructions for Use

Run Sonatype for GitLab CI. Lifecycle automatically discovers the commit hash by reading the CI_COMMIT_SHA environment variable. If the environment variable is not set, Sonatype for SCM will discover the commit hash by traversing up the directory tree until it finds the .git folder.

Sonatype CLM for Maven

Any application can be evaluated against your policies using the Sonatype CLM for Maven Plugin.

Prerequisites

  • Version 2.16.0 and higher

Instructions for Use

Run the evaluate goal anywhere within the git-cloned project folder. Sonatype for SCM will automatically discover the commit hash from the git context and send this information to the IQ Server with the policy evaluation request.

An additional command output will print the repository and commit hash discovery information (some lines were omitted):

[INFO] Starting scan...
[INFO] Discovered commit hash 'b8d6b434dad8670ddfd08a0f9232df46134f2198' via jGit
...

You can set the GIT_DIR environment variable to the full path of the .git folder for the git-cloned project if you are not running the command within a git-cloned project folder.

Sonatype for Bamboo

The Sonatype for Bamboo plugin lets you run policy evaluations against building artifacts in Bamboo. This produces a summary report with policy violation counts and a link to a detailed report on the IQ Server.

Prerequisites

  • Version release-1.15.0 and higher

Instructions for Use

Add an IQ Policy Evaluation task to your build plan in Bamboo. Execute the plan. Sonatype for SCM will automatically discover the commit hash and send it to IQ Server as part of the policy evaluation request.

The collection of the commit hash can be viewed in the build log as shown below (some lines were omitted):

simple 04-Feb-2020 11:15:45    Starting IQ analysis
...
simple  04-Feb-2020 11:15:47    Discovered commit hash '17950bd5cf0492d046e6f01b49836f073638af4f' via jGit
...
simple  04-Feb-2020 11:15:58    Policy evaluation completed in 10 seconds.