Instant Risk Profile
NEW IN IQ SERVER RELEASE 109
Instant Risk Profile Overview
IQ Server automatically scans the contents of source control repositories (configured default branch) as new applications are onboarded.
Continuous Risk Assessment
In addition to the initial onboarding source control scan, IQ Server will scan feature branches as identified in pull requests.
Source control scans have the following characteristics:
- IQ Server performs a Git clone operation to access the repository for an application to gain access to the files to scan
- The types of files that IQ Server is capable of understanding and scanning is continually being updated. You can find more information here.
- Default branch scans use the 'Source' stage
- Feature branch scans use the 'Develop' stage
- Scan/policy evaluation results are available on the reports page in the 'Source' stage column
The onboarding scan is a one-time scan to get an initial picture of an application's risk exposure.
During onboarding all of the applications needing a source scan will enter a queue. The Reports page will display a 'pending' indicator for applications that are waiting for their initial onboarding scan. When the scan completes the pending indicator is replaced by a summary of the scan and policy evaluation.
No relevant files to scan
If source control does not contain any relevant files to scan, a report will not be generated and you will not see anything under the 'Source Violations' column for that application. The CLI tooling would produce a "No violations" report in this case. In the future the initial Instant Risk Profile scan will also produce a "No violations" report if there are no relevant files to scan.
Pull Request Scans
In addition to the onboarding scans, when IQ server detects a new pull request for an application it will:
- Perform a source control scan of the feature branch associated with that pull request.
- Perform another source control scan for the default branch, as necessary, to make sure it is current
- Create a pull request comment with details on any vulnerabilities discovered or remediated
Usage of the Source stage
As previously mentioned, IQ server uses the Source stage for default branch source control scans. And it uses these scans as the basis for pull request commenting. However, if IQ Server detects that a CI system, for example, is feeding in scan/policy evaluation requests, IQ server will:
- switch over to using these external scan requests/results as the basis for the pull request comments
- stop performing automatic, self-initiated source control scans for that repository