Skip to main content

Preventing Risk Checklist

Sonatype Lifecycle gives you powerful tools to prevent applications with unacceptable risk from being released. Once integrated into your CI/CD Pipeline, Lifecycle can break your builds and block releases. When your organization is adept at handling policy violations, it's time to begin enforcing your risk standards to your releases.

Note

Preventing and addressing new violations is an ongoing process of gradual improvement. Once you're here, you'll repeat these steps on a continual basis.

Goals

  • Enable enforcement for critical policy violations

  • Gradually enable enforcement for less severe violation types

Action Items

  1. Review Enforcement Best Practices

  2. Establish criteria for enabling enforcement - Determine what standards your organization should meet to be ready for policy enforcement.

    • Communicate this timeline in advance, so all affected teams have time to prepare.

  3. Determine Communication Channels for feedback and changes to policy enforcement - Setting up channels for feedback is key for a successful roll-out. The enforcement and violation process needs developer buy-in to be successful.

  4. Set expectations for enforcement - Let your development teams know what to expect when enforcement is enabled and ensure they have the tools to handle blocked builds.

    • Communicate what kinds of policy violations will have enforcement enabled.

    • Review SLOs.

    • Review waiver workflows.

  5. Enable enforcement for critical violations - Turn on enforcement for your most critical risk categories.

  6. Gradually enable enforcement for other policy threat levels - When your organization is comfortable with build failures for critical components and is actively remediating new violations, you're ready to enable enforcement for additional policy types.

Measuring Success

This can be measured with the Success Metrics script by looking at the Discovery Rate (if we choose good quality components, there will be fewer violations discovered when building), at the MTTR (Mean Time To Resolution) and at the Risk Ratio (total number of critical violations divided by the total number of apps onboarded) evolution month-on-month.