Skip to main content

Continuous Monitoring Best Practices

Continuous Monitoring (CM) is the capability to automatically check your applications for any new violations every night.

CM needs to be configured to a stage before monitoring will start.

Overview of the Continuous Monitoring (CM) Process

  1. Set CM to a specific stage to monitor

    • The release and operate stages are the most common

      The release stage in the DevOps cycle is where the updated code should have been thoroughly tested and validated, before launch. Setting the CM at the release stage acts as gatekeeping and will inform you of the risks if there are any, to prevent delivery of a product ridden with vulnerabilities.

      The operate stage is useful in scenarios involving integrations with deployment tools. Evaluations at this stage will not show up in the dashboard or reporting views.

      For more information on selecting a stage to monitor, refer to Usage Suggestions for Each Stage.

    • Which stage is monitored may be overridden at the organization level

  2. CM notifications are configured on each policy

    • Focus on critical violations

    • Send notifications to the appropriate role

  3. CM monitors the most recent Lifecycle evaluation

    • CM updates the latest report daily

    • CM creates a new report with every scan

  4. CM may be configured when to run.

    • Midnight on the installation server is the default

  5. Only new violations will trigger notifications

Use Continuous Monitoring to notify you of newly discovered vulnerabilities

  • Sonatype data is updated throughout the day

  • CM will let you know when new vulnerabilities are added to Sonatype data

  • CM informs you of risk before your next release

Most Effective

Not Effective

  • currently deployed to production

  • code that is not built frequently

  • legacy applications

  • third-party applications

  • applications licensed under Sonatype Auditor

  • when configured to a stage that is not scanned

  • when notifications are not configured

  • when applications are evaluated more than once a day

  • evaluations from previous builds (not the latest scan)

  • CM is not used for enforcement

Understand the impact of your Continuous Monitoring strategy

  • CM scans a single application at a time to minimize load

  • A large number of applications may take multiple days to review

    • Approximately 2500 applications are analyzed day

      • 99% of scans are completed in less than 2 minutes

      • 95% are completed in less than 30 sec

  • Consult with Customer Success or Support to increase the CM scan rate

Purge Continuous Monitoring data after 30 days

  • We recommend setting the data retention for CM to 30 days or less

  • Reports from Continuous Monitoring accumulate fast when scanned every night

  • Only the latest report is shown in the UI

Continuous Monitoring Decision Tree

Flowchart image Continuous Monitoring decision tree. See outline after image.

Note

Top of chart begins with Q: "How often am I building this app?"

  1. If "Frequently" to building the app, then "Not a good candidate for Continuous Monitoring. Integrate with your CI/CD system instead."

  2. If "Rarely" to building the app, then Q: "Is this a legacy app?"

    1. If Yes to legacy app, then "Good candidate for Continuous Monitoring."

    2. If No to legacy app, then Q: "Is this app actively deployed to production?"

      1. If Yes to deployed to production, then "Good candidate for Continuous Monitoring."

      2. If No to deployed to production, then Q: "Is this a third-party app?"

        1. If Yes to third-party app, then "Good candidate for Continuous Monitoring."

        2. If No to third-party app, then Q: "Do you need visibility on this app?"

          1. If Yes on visibility, then "Turn on Continuous Monitoring for now."

          2. If No on visibility, then "Accept the risk of not scanning."