Automated Commit Feedback
Sonatype Lifecycle provides IQ policy violation information in your Source Control Management System. This lets developers find out about policy violations during the code development process.
The Automated Commit Feedback feature is enabled by default for all repository types: private, internal, and public.
NEW IN RELEASE 161 This feature is configurable at the organization or application level and can either be inherited (default), enabled (default for the root organization), or disabled.
Managing IQ Policy Evaluation Reports and SCM Commits
In Azure DevOps, a build status can be attached to a commit when an IQ Policy Evaluation highlights violations. This is visible on individual commits, and the commit history.
In both Bitbucket Server and Bitbucket Cloud, a build status can be attached to commits when an IQ Policy Evaluation highlights violations. This will be visible on individual commits and on any pull requests containing that commit.
As a GitHub Status, an IQ Policy Evaluation check runs whenever a Pull Request is created or updated. Like other status checks, it can be configured to just provide feedback or even block a PR from being merged when it detects vulnerable components or policy violations. Each policy evaluation has a link to the full IQ Policy Evaluation via the Details link to the right of the components affected summary counts.
The IQ Policy Evaluation report can also be accessed from a commit itself by clicking the status icon then clicking the Details link to the right of the IQ Policy Evaluation component summary on the checks popup.
An IQ Policy Evaluation step can be added to the GitLab pipeline to provide feedback or even block Merge Requests when it detects vulnerable components or policy violations (see the section on protecting target branches). When violations are detected, the 'IQ Policy Evaluation' will link to the full scan report on IQ Server.
Viewing the Full IQ Policy Evaluation Report
Clicking the Details link opens the IQ Policy Evaluation report where the developer will see the current version used and other vulnerable and non-vulnerable versions of that component.
This gives developers the information they need to quickly remediate vulnerable components.