CI and CLI Integrations

Nexus Lifecycle supports several CLI and CI integrations with its SCM Integration.

Nexus IQ CLI

Any application can be evaluated against your policies using the Nexus IQ CLI.

Prerequisites

  • IQ 67 and higher

Instructions for Use

Run the nexus-iq-cli command within the git-cloned project folder. Nexus IQ for SCM will automatically discover the commit hash and repository URL from the git context then send this information to Nexus IQ Server with the policy evaluation request.

Additional command output will print the repository and commit hash discovery information:

[INFO] Validating IQ Server version http://localhost:8070...
[INFO] Validating application ID test-app with the IQ Server http://localhost:8070...
[INFO] Discovered repository url 'https://github.com/my-org/my-repo' via jGit
[INFO] Discovered commit hash '00ac4dc1da4b8ce233df110cbd175ae85284b655' via jGit

You can set the GIT_DIR environment variable to the full path of the .git folder for the git cloned project if you are not running the command within a git cloned project folder,

You can pass in the commit hash with the nexus-iq-cli parameter --metadata If you do not have a git cloned project. Use the following format to point to a file with the desired commit hash:

{"commitHash": "<git commit hash>"}

See Nexus IQ CLI for details.

Nexus IQ CLI Docker Image

The Nexus IQ CLI is also available as a docker image at https://hub.docker.com/r/sonatype/nexus-iq-cli.  The documentation there details how to use the image to perform an evaluation.

Prerequisites

  • Version 1.3 and higher

Nexus Platform Plugin for Jenkins

Nexus Platform Plugin for Jenkins scans a build workspace for components, creates a summary file about all the components found, and then submits that file to IQ Server for a detailed policy evaluation. Lifecycle generates a with a detailed analysis of security information, license information, and other policy details. A summary of that report is sent to the Jenkins server to include in the build results.

Prerequisites

  • Version nexus-jenkins-plugin-3.8.20191204-084645.a4bff16 and higher

Instructions for Use

Run the Nexus Platform Plugin for Jenkins. Nexus IQ for SCM will automatically discover the commit hash by reading the GIT_COMMIT environment variable. If the environment variable is not set, Nexus IQ for SCM will identify the commit hash by traversing the directory tree until it finds the .git folder.

An additional command output will print the commit hash discovery information in the Jenkins System Log:

...
Dec 20, 2019 4:45:53 PM FINE com.sonatype.nexus.git.utils.commit.AggregateCommitHashFinder tryGetCommitHash
Unable to find commit hash via environment variable GIT_COMMIT
Dec 20, 2019 4:45:53 PM INFO com.sonatype.nexus.git.utils.commit.AggregateCommitHashFinder tryGetCommitHash
Discovered commit hash '60638345c358694151de444fd63bfb02ca79ec8b' via jGit
...

See Nexus Platform Plugin for Jenkins for details.

Nexus IQ for GitLab CI

CI/CD pipeline jobs in GitLab use custom docker images to perform actions in GitLab project's build workspace. The GitLab Nexus IQ docker image provides the ability to run Nexus policy evaluations against build artifacts in GitLab. This produces a summary report with policy violation counts and a link to a detailed report on the IQ server.

Prerequisites

  • Version release-1.2 and higher

Instructions for Use

Run Nexus IQ for GitLab CI. Nexus Lifecycle automatically discovers the commit hash by reading the CI_COMMIT_SHA environment variable. If the environment variable is not set, Nexus IQ for SCM will discover the commit hash by traversing up the directory tree until it finds the .git folder.

See Nexus IQ for GitLab CI for details.

Sonatype CLM for Maven

Any application can be evaluated against your policies using the Sonatype CLM for Maven Plugin.

Prerequisites

  • Version 2.16.0 and higher

Instructions for Use

Run the evaluate goal anywhere within the git-cloned project folder. Nexus IQ for SCM will automatically discover the commit hash from the git context and send this information to Nexus IQ Server with the policy evaluation request.

An additional command output will print the repository and commit hash discovery information (some lines were omitted):

[INFO] Starting scan...
[INFO] Discovered commit hash 'b8d6b434dad8670ddfd08a0f9232df46134f2198' via jGit
...

You can set the GIT_DIR environment variable to the full path of the .git folder for the git-cloned project if you are not running the command within a git-cloned project folder.

See Sonatype CLM for Maven for more details.

Nexus IQ for Bamboo

The Nexus IQ for Bamboo plugin lets you run Nexus IQ policy evaluations against build artifacts in Bamboo. This produces a summary report with policy violation counts and a link to a detailed report on the IQ server.

Prerequisites

  • Version release-1.15.0 and higher

Instructions for Use

Add an IQ Policy Evaluation task to your build plan in Bamboo. Execute the plan. Nexus IQ for SCM will automatically discover the commit hash and will send it to Nexus IQ Server as part of the policy evaluation request.

The collection of the commit hash can be viewed in the build log as shown below (some lines were omitted):

simple	04-Feb-2020 11:15:45	Starting IQ analysis
...
simple	04-Feb-2020 11:15:47	Discovered commit hash '17950bd5cf0492d046e6f01b49836f073638af4f' via jGit
...
simple	04-Feb-2020 11:15:58	Policy evaluation completed in 10 seconds.

See Nexus IQ for Bamboo for more details.