Automated Commit Feedback
NEW IN RELEASE 67
Nexus IQ for SCM puts the information needed to quickly remediate vulnerabilities in software solutions at the fingertips of developers by pushing policy evaluation information into the SCM commits and pull requests, where developers work.
This feature is enabled for all repository types: private, internal, and public.
Policy Evaluation Summaries
In Azure DevOps, a build status can be attached to a commit when an IQ Policy Evaluation highlights violations. This is visible on individual commits, and the commit history.
In both Bitbucket Server and Bitbucket Cloud, a build status can be attached to commits when an IQ Policy Evaluation highlights violations. This will be visible on individual commits and on any pull requests containing that commit.
As a GitHub Status, an IQ Policy Evaluation check runs whenever a Pull Request is created or updated. Like other status checks, it can be configured to just provide feedback or even block a PR from being merged when it detects vulnerable components or policy violations. Each policy evaluation has a link to the full IQ Policy Evaluation via the Details link to the right of the components affected summary counts.
The IQ Policy Evaluation report can also be accessed from a commit itself by clicking the status icon then clicking the Details link to the right of the IQ Policy Evaluation component summary on the checks popup.
An IQ Policy Evaluation step can be added to the GitLab pipeline to provide feedback or even block Merge Requests when it detects vulnerable components or policy violations. See the sections below on protecting target branches for more information. When violations are detected, the 'IQ Policy Evaluation' will link to the full scan report on IQ Server.
Viewing the Full Policy Evaluation Report in Nexus IQ
Clicking the Details link opens the IQ Policy Evaluation report where the developer will see the current version used and other vulnerable and non-vulnerable versions of that component.
This gives developers the information they need to quickly remediate vulnerable components.