Skip to main content

Onboarding Applications Checklist

This section is about preparing to import your applications. You should have already onboarded a few applications as test cases and are ready to start scanning more applications with Lifecycle. The resources below will help you select an application import strategy and begin scanning.

Note

We strongly recommend onboarding a few applications in each category as test projects. When scanning an application with a Continuous Integration tool, we recommend building a template for use with your other applications in that language.

Scanning in your Software Development Lifecycle

Sonatype Lifecycle allows you to scan the same application at multiple stages in your development process. The stages and corresponding scan method are like this:

Scanning in your SDLC

SDLC Step

Proxy

Development

Code Review

Build

Release

Maintain

Lifecycle Stage

Repository

Source

Source

Build

Stage Release

Release

Tools

Firewall (separate license)

IDE integrations

Chrome Plugin

SCM integrations

Continuous Integration

Continuous Integration

Continuous Monitoring

Overview

Firewall is a separate product that allows you to block unwanted components from entering a proxy repository. It does not provide scans of individual applications, but gives you tools to manage your open source software at the repository level.

The IDE and Chrome plugins are tools to manage risk during active development. The integrations with lifecycle aid in component selection and remediation

The SCM Integration allows you to scan your Source Control Repository for immediate scan results during code review. This is the easiest way to scan an application, but you can typically get better results by scanning application binaries.

Lifecycle can scan your applications as soon as they're built using a Continuous Integration system. This gives you the best scan results and will generate a new scan for every build.

Like the build stage, Lifecycle can integrate with a CI/CD pipeline to scan release candidates. This also gives you the best results and tools to block the release of a risky build.

Continuous Monitoring is how Lifecycle continues to assess stable applications. The components in those applications will be periodically reassessed for new violations. The results at this stage are dependent on the quality of the original scan.

Typically we recommend importing batches of applications through source control then adjusting those applications' build pipelines to include in Lifecycle.

Goals

  • Understand the different application import methods

  • Select a strategy for onboarding applications

  • Identify applications for a pilot project

Action Items

  1. Decide your application import strategy

    1. SCM Integration (UI onboarding)

      • Integrating your IQ Server and Nexus Repository Pro

    2. CI Integrations (programmatic onboarding)

      • Jenkins

      • Bamboo CI Plugin

      • CircleCI

      • Gitlab

      • Azure DevOps

      • Integrating scanning with your maven build

      • Using the Command Line

  2. Understand how to get the best results for your application

  3. Select pilot applications - This small group of applications should be representative of the languages and technology used across your organization and be run by high-performing teams. These first applications will be used to develop a process for bringing on the rest of your applications.