Instant Risk Profile
NEW IN IQ SERVER RELEASE 109
IQ Server automatically scans the contents of source control repositories (configured default branch) as new applications are onboarded.
Continuous Risk Assessment
In addition to the initial onboarding source control scan, IQ Server will scan feature branches as identified in pull requests and also on default branches identified in source control configuration of applications. More information on these features can be found here.
Source control scans have the following characteristics:
- IQ Server performs a Git clone operation to access the repository for an application to gain access to the files to scan
- The types of files that IQ Server is capable of understanding and scanning is continually being updated. You can find more information here.
- Default branch scans use the 'Source' stage
- Feature branch scans use the 'Develop' stage
- Scan/policy evaluation results are available on the Reporting page in the 'Source' stage column
Using Instant Risk Profile
The onboarding scan is a one-time scan to get an initial picture of an application's risk exposure.
During onboarding, all of the applications needing a source scan will enter a queue. The Reports page will display a 'pending' indicator for applications that are waiting for their initial onboarding scan. When the scan completes the pending indicator is replaced by a summary of the scan and policy evaluation.
Pull Request Scans
In addition to the onboarding scans, when the Nexus IQ server detects a new pull request for an application it will:
- Perform a source control scan of the feature branch associated with that pull request.
- Perform another source control scan for the default branch, as necessary, to make sure it is current
- Create a pull request comment with details on any vulnerabilities discovered or remediated
Usage of the Source Stage
As previously mentioned, the Nexus IQ server uses the Source stage for default branch source control scans. It uses these scans as the basis for pull request commenting. However, if the Nexus IQ Server detects that a CI system, for example, is feeding in scan/policy evaluation requests, the Nexus IQ server will:
- switch over to using these external scan requests/results as the basis for the pull request comments
- stop performing automatic, self-initiated source control scans for that repository