Nexus IQ for SCM
Source Control Management (SCM) systems are no strangers to development teams. Platforms such as GitHub, GitLab, and Bitbucket store and manage organizations' code repositories. As members of development teams make changes to code, the SCM system tracks the resulting iterations, reports any conflicts between those iterations, and maintains a complete history of the code, which is helpful in case any previous version needs to be reinstated. This makes SCM systems a vital part of the software development process.
Nexus IQ for SCM is a tool the provides early insight into an application's security and licensing risk by analyzing the open source referenced in the code. It is designed to work directly within your SCM. This is essentially like posting a security guard inside the bank vault rather than outside the bank building. Our Source Control Integration works with in tandem with our Continuous Integration system integrations to give you policy information in the tools your team uses every day. If a component violates a policy that the organization has set in Nexus IQ, Nexus IQ takes action not only to communicate its findings but also to generate suggested remediation directly into the source code repository by initiating such things as automated commit feedback, automated pull requests, and pull request commenting with the changes to an application's component manifest. Nexus IQ interacts with Git-based systems primarily through an API. The APIs enable the creation of pull requests, commenting on pull requests, creation of commit statuses, etc.
Nexus IQ for SCM's two main features
- Easy SCM Onboarding – A tool to help you import the repositories housed in your SCM systems that you wish to integrate with Nexus IQ so that they can be recreated as Nexus Lifecycle applications. Once this step is complete, Nexus IQ scans the newly imported applications via the Instant Risk Profile to offer a one-time, initial glimpse of your applications' risk based on what has been committed to your SCM system up to that point. This helps your development team know what applications to prioritize when subsequently establishing your remediation plan.
- Automated source control feedback – This aspect of Nexus IQ for SCM, in essence, is the ways in which Nexus IQ communicates what it has found and what it suggests in terms of action taken to remediate any concerns in the SCM system repositories. To achieve this, Nexus IQ uses automated commit feedback, automated pull requests, and pull request commenting to report its scan results. The specific features available to you depend upon which SCM system you use since each system has different configuration capabilities with Nexus IQ integration.
To use Nexus IQ for SCM, your IQ Server must be configured to allow access to your company's SCM platform. To begin, you'll need to connect Nexus IQ to your SCM system repositories, which is best done by following the steps in Easy SCM Onboarding. Following that, you will need to set up your source control configuration.
- Learn about source control configuration and set up your SCM system to work with Nexus IQ.
- Complete Easy SCM Onboarding for your configuration.
- Enable CI and CLI integrations for locally cloned repositories.
By the end of this documentation, you will be able to connect and configure your SCM system to work with Nexus IQ so that it can begin monitoring your code for anything suspicious and communicate with you accordingly.