Sonatype for SCM
Source Control Management (SCM) systems are no strangers to development teams. Platforms such as GitHub, GitLab, and Bitbucket store and manage organizations' code repositories. As members of development teams make changes to code, the SCM system tracks the resulting iterations, reports any conflicts between those iterations, and maintains a complete history of the code, which is helpful in case any previous version needs to be reinstated. This makes SCM systems a vital part of the software development process.
Sonatype for SCM is a tool the provides early insight into an application's security and licensing risk by analyzing the open source referenced in the code. It is designed to work directly within your SCM. This is essentially like posting a security guard inside the bank vault rather than outside the bank building. Our Source Control Integration works with in tandem with our Continuous Integration system integrations to give you policy information in the tools your team uses every day. If a component violates a policy that the organization has set, Lifecycle takes action not only to communicate its findings but also to generate suggested remediation directly into the source code repository by initiating such things as automated commit feedback, automated pull requests, and pull request commenting with the changes to an application's component manifest. Sonatype IQ Server interacts with Git-based systems primarily through an API. The APIs enable the creation of pull requests, commenting on pull requests, creation of commit statuses, etc.
Sonatype for SCM's two main features
Easy SCM Onboarding – A tool to help you import the repositories housed in your SCM systems that you wish to integrate with Sonatype IQ so that they can be recreated as Lifecycle applications. Once this step is complete, Sonatype IQ scans the newly imported applications via the Instant Risk Profile to offer a one-time, initial glimpse of your applications' risk based on what has been committed to your SCM system up to that point. This helps your development team know what applications to prioritize when subsequently establishing your remediation plan.
Automated source control feedback – This aspect of Sonatype for SCM, in essence, is the ways in which Sonatype IQ communicates what it has found and what it suggests in terms of action taken to remediate any concerns in the SCM system repositories. To achieve this, Sonatype IQ Server uses automated commit feedback, automated pull requests, and pull request commenting to report its scan results. The specific features available to you depend upon which SCM system you use since each system has different configuration capabilities with Sonatype integration.
Getting Started
To use Sonatype for SCM, your IQ Server must be configured to allow access to your company's SCM platform. To begin, you'll need to connect Sonatype IQ to your SCM system repositories, which is best done by following the steps in Easy SCM Onboarding. Following that, you will need to set up your source control configuration.
End Goal
By the end of this documentation, you will be able to connect and configure your SCM system to work with Sonatype IQ so that it can begin monitoring your code for anything suspicious and communicate with you accordingly.