Instant Risk Profile

NEW IN IQ SERVER RELEASE 109

Instant Risk Profile Overview

IQ Server automatically scans the contents of source control repositories (configured default branch) as new applications are onboarded. 

Continuous Risk Assessment

In addition to the initial onboarding source control scan, IQ Server will scan feature branches as identified in pull requests.

Scan Characteristics

Source control scans have the following characteristics:

  • IQ Server performs a Git clone operation to access the repository for an application to gain access to the files to scan
  • The types of files that IQ Server is capable of understanding and scanning is continually being updated.  You can find more information here.
  • Default branch scans use the 'Source' stage
  • Feature branch scans use the 'Develop' stage
  • Scan/policy evaluation results are available on the reports page in the 'Source' stage column

Onboarding Scans

The onboarding scan is a one-time scan to get an initial picture of an application's risk exposure.

During onboarding all of the applications needing a source scan will enter a queue.  The Reports page will display a 'pending' indicator for applications that are waiting for their initial onboarding scan.  When the scan completes the pending indicator is replaced by a summary of the scan and policy evaluation.

No relevant files to scan

If source control does not contain any relevant files to scan, a report will not be generated and you will not see anything under the 'Source Violations' column for that application.  The CLI tooling would produce a "No violations" report in this case.  In the future the initial Instant Risk Profile scan will also produce a "No violations" report if there are no relevant files to scan.

Pull Request Scans

In addition to the onboarding scans, when IQ server detects a new pull request for an application it will:

  • Perform a source control scan of the feature branch associated with that pull request.
  • Perform another source control scan for the default branch, as necessary, to make sure it is current
  • Create a pull request comment with details on any vulnerabilities discovered or remediated

Usage of the Source stage

As previously mentioned, IQ server uses the Source stage for default branch source control scans.  And it uses these scans as the basis for pull request commenting.  However, if IQ Server detects that a CI system, for example, is feeding in scan/policy evaluation requests, IQ server will:

  • switch over to using these external scan requests/results as the basis for the pull request comments
  • stop performing automatic, self-initiated source control scans for that repository