Instant Risk Profile
Sonatype Lifecycle will scan the default branch for each application created through Easy SCM Onboarding. The results from that scan are your Instant Risk Profile. Your results depend on the files stored in your source control repository.
SCM Scan Details:
Source Control Scans do the following:
IQ Server performs a Git clone operation to access the files in your repository.
The files that IQ Server uses several file types to generate results.
Default branch scans use the 'Source' stage
Scan/policy evaluation results are available on the Reporting page in the 'Source' stage column
Instant Risk Profile Results
The Instant Risk Profile is a scan of your Source Control Repository. It is triggered when a Lifecycle Application is created through Easy SCM Onboarding. The purpose of this scan is to give you an overview of the risk and policy violations in your application.
During SCM Onboarding, all new applications without a source scan enter a queue. The Reports page will display a 'pending' indicator for applications that are waiting for their initial onboarding scan. When the scan completes the pending indicator is replaced by a summary of the scan and policy evaluation.
Note
No relevant files
A report will not be generated if the source control does not contain any relevant files to scan. The CLI tooling will produce a "No violations" report.
Reviewing Results
The scan report will be available on the Component Details Page.
Next Steps
Lifecycle offers reporting tools in your source control system:
Continuous Risk Profile - Lifecycle will scan the default branch on an ongoing basis and pull requests.
Pull Request Commenting - Lifecycle will provide feedback directly in pull requests. New pull requests can trigger additional scans.