Automated Commit Feedback

NEW IN RELEASE 67

Overview

Nexus IQ for SCM puts the information needed to quickly remediate vulnerabilities in software solutions at the fingertips of developers by pushing policy evaluation information into the SCM commits and pull requests, where developers work.

Policy Evaluation Summaries in GitHub

As a GitHub Status, an IQ Policy Evaluation check runs whenever a Pull Request is created or updated. Like other status checks, it can be configured to just provide feedback or even block a PR from being merged when it detects vulnerable components or policy violations. Each policy evaluation has a link to the full IQ Policy Evaluation via the Details link to the right of the components affected summary counts.

The IQ Policy Evaluation report can also be accessed from a commit itself by clicking the status icon then clicking the Details link to the right of the IQ Policy Evaluation component summary on the checks popup.

Policy Evaluation Summaries in GitLab

An IQ Policy Evaluation step can be added to the GitLab pipeline to provide feedback or even block Merge Requests when it detects vulnerable components or policy violations.  See the sections below on protecting target branches for more information. When violations are detected, the 'IQ Policy Evaluation' will link to the full scan report on IQ Server.


Policy Evaluation Summaries in Bitbucket

In both Bitbucket Server and Bitbucket Cloud a build status can be attached to commits when an IQ Policy Evaluation highlights violations. This will be visible on individual commits and on any pull requests containing that commit.


Viewing the Full Policy Evaluation Report in Nexus IQ

Clicking the Details link opens the IQ Policy Evaluation report where the developer will see the current version used and other vulnerable and non-vulnerable versions of that component.

This gives developers the information they need to quickly remediate vulnerable components.