Skip to main content

Onboarding Applications Best Practices

How you onboard applications will depend on a rough idea of your total inventory of applications.

No. of Apps



< 50

Manually onboard

  • Creating an application

  • Scanning with the user interface

< 500

Automatic Application Creation

  • Enable automatic application creation

  • Adding to ci build

  • Command line scanner (CLI)

> 500

Onboarding Scripts (REST API)

  • IQ Server REST API


Easy SCM Onboarding


Config-as-Code project

Manually Onboard

Add applications using the Organizations and Applications menu of the IQ Server user interface (UI).

  • Recommended for a limited (<50) number of applications

  • Great for testing and pilot teams

  • Not an effective long-term strategy

  • Common for third-party software and legacy code

  • Application ids and names will need to be unique

  • Consider using an onboarding script if you already have a complete list

Potential Pitfalls:

  • Manually adding applications can be slow.

  • Does not scale.

  • Easy to make mistakes:

    • Avoid duplicating application ids when using a build configuration template

    • Noisy notifications and faulty metrics

    • May break remediation waivers

Automatic Application Creation

Configure the IQ server to allow applications to automatically be added when using an unused PublicID during a scan.

  • Applications are automatically added to a default organization.

    • The default organization may be configured in the UI.

  • Recommended for applications that would need to be onboarded over time.

  • Application Categories will need to be manually set.


  • Assign someone to review in a holding organization

    • assign Application Categories

    • move to the correct organization

    • rename the applications to something more human-recognizable

  • Not recommended for confidential applications.


  • Very easy to create new applications unintentionally

  • Currently cannot track the scan back to the source

  • Only a single default organization

  • The scan may not have the correct policy

  • Access controls may not be set correctly

  • Notifications may be sent to the wrong people


Onboarding through Source Control Managers

Easy SCM Onboarding lets you select applications to onboard through a point-and-click menu in the UI.

  • Scans are run against the source code.

  • Scanners will look for dependency lock files as well as binaries.

  • Look for common language-specific patterns.

  • Review the analysis documentation for details.


  • Manifest scanning does not provide a complete risk analysis of your built application.

  • A complete scan will still need to be added during the build process.

Onboarding Scripts (REST API)

Using the REST API to configure applications preemptively or in real-time.

  • Directly integrate into your application management systems

  • Recommended for a large number of applications or self-service growth

  • Match to your internal systems using ids, application names, and existing groups


  • DO NOT test onboarding scripts in production; start with a backup.

  • Major deployments are challenging to roll back or correct.

  • Fully test scripts in a development environment before production.

  • Monitor systems for irregularities and stability.


Config-as-Code Tool

  • Config-as-Code is the DevOps principle of treating configuration resources like versioned artifacts.

  • Configuration is checked into source control, assigned a version, and associated with versioned builds.

  • This config-as-code toolis a Python script that captures IQ Server’s configuration as a JSON.

  • This JSON is applied to other IQ Server instances to set the same configuration.

  • The iq-config-as-code/onboarding/templates can help new users prepare their first IQ Server.


This tool is not officially supported by Sonatype.


  • Be sure to version your scraped .json files appropriately.

  • Debugging is limited, so it will be easy to make mistakes.

  • Avoid editing the template .json files if you are not familiar with scripting.

  • Start with test environments before connecting to a product instance.


  • The apply command completely overwrites your IQ Server’s configuration with the data in the target .json file.

  • Be cautious when applying new configurations, and scrape your existing configuration as a backup.

  • This tool makes it easy for misconfigurations to propagate.

  • Version your scraped configurations so that you can track changes and recover from misconfigurations.

Additional Resources: