Skip to main content

Easy SCM Onboarding

Easy SCM Onboarding is a tool whose primary purpose is to import the applications housed in your SCM system repositories and turn them into applications in Lifecycle. This integration enables Sonatype Lifecycle to scan and evaluate your organization's applications directly from the source control without modifying any code or continuous integration (CI) build processes.

Once your applications are set up in Lifecycle, Easy SCM Onboarding scans the applications via the Instant Risk Profile to give you an immediate, baseline glimpse of your applications' risk. This enables rapid visibility into open-source risks for critical applications and helps your team prioritize remediation efforts. This is done without having to manually scan or add Lifecycle to your build process.

Note: It is important to understand that Easy SCM Onboarding is a useful, initial tool to help you get started with scanning and accelerate adoption; however, it is just that – initial. It only initially scans what has been committed to your SCM system (i.e. manifests) and, therefore, does not provide a full analysis that comes from accessing the advanced binary fingerprinting.

In fact, performing a full analysis produces noticeably different results for the same project. Therefore, we recommend that you strive toward integrating Lifecycle with your continuous integration (CI) and command line interface (CLI) pipeline for fine-grained scan control and binary analysis, which ensures the highest-quality scan results.


To use Easy SCM Onboarding, you'll need to do the following:

  • Ensure your SCM system resources are adequate for the new applications.

  • Obtain an access token for your SCM system to connect to your IQ organization. We recommend setting the token in the Root Organization.

Using Easy SCM Onboarding

  1. Select an organization other than the Root Organization since the Root Organization isn't allowed to have any applications (by default, other organizations inherit the SCM configuration from the Root Organization). You will be able to select a different organization on the Import Applications screen.

  2. Select "Import Applications".

  3. Add the SCM server host URL of your SCM system if prompted.

  4. Select the checkboxes next to the repositories you wish you import and select "Import Repositories" at the bottom of the page. In this step, you are selecting the repositories from your SCM system that you wish to create as new applications in IQ Server.

  5. The Instant Risk Profile will queue up your selected repositories (now considered IQ applications) and immediately begin the automatic scan of your imported applications. You can view the resulting scan report by selecting "Go To Reports" on the Import Status dialog box. Please note that this initial scan focuses only on the manifest and lock files in your applications. It is considered an initial glimpse of the types of risk your applications pose. More thorough scans must be specifically configured after Easy SCM Onboarding. If you need to import additional applications, select "Continue Importing". You can always open an additional window to view the ongoing upload progress on the Reports page.

  6. From the Reports dashboard, select "View Report" next to the recently imported and scanned application you wish to view.

  7. From here, you can view information on specific components in the report and prioritize your remediation efforts. Once you have onboarded your SCM repositories into IQ Server as applications, you can further configure your applications' scans in your CI and CLI pipeline.