CI and CLI Integrations

Any application can be evaluated against your policies using the Sonatype CLI.

[INFO] Validating IQ Server version http://localhost:8070...
[INFO] Validating application ID test-app with the IQ Server http://localhost:8070...
[INFO] Discovered repository url 'https://github.com/my-org/my-repo' via jGit
[INFO] Discovered commit hash '00ac4dc1da4b8ce233df110cbd175ae85284b655' via jGit

{"commitHash": "<git commit hash>"}

The Sonatype CLI is also available as a docker image at https://hub.docker.com/r/sonatype/nexus-iq-cli. The documentation there details how to use the image to perform an evaluation.

Sonatype Platform Plugin for Jenkins scans a build workspace for components, creates a summary file about all the components found, and then submits that file to the IQ Server for a detailed policy evaluation. Lifecycle generates a detailed analysis of security information, license information, and other policy details. A summary of that report is sent to the Jenkins server to include in the build results.

...
Dec 20, 2019 4:45:53 PM FINE com.sonatype.nexus.git.utils.commit.AggregateCommitHashFinder tryGetCommitHash
Unable to find commit hash via environment variable GIT_COMMIT
Dec 20, 2019 4:45:53 PM INFO com.sonatype.nexus.git.utils.commit.AggregateCommitHashFinder tryGetCommitHash
Discovered commit hash '60638345c358694151de444fd63bfb02ca79ec8b' via jGit
...

CI/CD pipeline jobs in GitLab use custom docker images to perform actions in GitLab project's build workspace. The GitLab Sonatype docker image provides the ability to run policy evaluations against build artifacts in GitLab. This produces a summary report with policy violation counts and a link to a detailed report on the IQ Server.

Any application can be evaluated against your policies using the Sonatype CLM for Maven Plugin.

Run the evaluate goal anywhere within the git-cloned project folder. Sonatype for SCM will automatically discover the commit hash from the git context and send this information to the IQ Server with the policy evaluation request.

An additional command output will print the repository and commit hash discovery information (some lines were omitted):

[INFO] Starting scan...
[INFO] Discovered commit hash 'b8d6b434dad8670ddfd08a0f9232df46134f2198' via jGit
...

You can set the GIT_DIR environment variable to the full path of the .git folder for the git-cloned project if you are not running the command within a git-cloned project folder.

The Sonatype for Bamboo plugin lets you run policy evaluations against building artifacts in Bamboo. This produces a summary report with policy violation counts and a link to a detailed report on the IQ Server.

Add an IQ Policy Evaluation task to your build plan in Bamboo. Execute the plan. Sonatype for SCM will automatically discover the commit hash and send it to IQ Server as part of the policy evaluation request.

The collection of the commit hash can be viewed in the build log as shown below (some lines were omitted):

simple 04-Feb-2020 11:15:45    Starting IQ analysis
...
simple  04-Feb-2020 11:15:47    Discovered commit hash '17950bd5cf0492d046e6f01b49836f073638af4f' via jGit
...
simple  04-Feb-2020 11:15:58    Policy evaluation completed in 10 seconds.