Continuous Risk Profile

NEW IN IQ SERVER RELEASE 120

Nexus IQ for SCM generates a continuous risk profile of the organization's codebase by running automatic application evaluations at the source stage. It uses the following capabilities to create a continuous risk profile:

  1. Default branch monitoring
  2. Feature branch monitoring

Default Branch Monitoring

Default branch monitoring is implemented by running both periodic and event-driven application evaluations. This feature is enabled for all private, internal, and public repository types. The selected repository should be configured for source control as described in Nexus IQ for SCM.

Periodic application evaluations: Nexus IQ for SCM performs policy evaluations on the default branch at least once per day. These evaluations are initiated based on the IQ server settings

defaultBranchMonitoringstartTime: 00:00
defaultBranchMonitoringIntervalInHours:24

To change the start time or the time interval between evaluations, use Source Control Configuration REST API - v2 

Event-driven application evaluations: Before performing event-driven application evaluations, Nexus IQ for SCM will check if external policy evaluations (run by Nexus CLI or CI jobs) have been performed. If there are no policy evaluations found in the last 7 days, then an application evaluation will be initiated when a PR is detected on the default branch and there is no policy evaluation associated with the head commit.

Examples to illustrate default branch monitoring

The default branch monitoring process kicks off at the startTime. It iterates through all IQ applications to check for code changes.

Example 1: A CI job is configured to run a build and evaluation of an IQ application at 03:00 hrs in the build stage. There are code changes that have been committed in the default branch, in the last 24 hours. startTime for IQ server default branch monitoring is configured as 00:00 and intervalInHours is configured as 24.

What happens now: The default branch monitoring process kicks off at 00:00 and finds that no application has been evaluated in the source stage, in the last 24 hours. Application evaluation is initiated in the source stage.

Example 2: A CI job is configured to run a build and evaluation of an IQ application at 03:00 in the source stage. There are code changes that have been committed in the default branch, in the last 24 hours. startTime for IQ server default monitoring is configured as 00:00 and intervalInHours is configured as 24.

What happens now: The default branch monitoring process kicks in at 00:00 and finds a source stage application evaluation that occurred, in the last 24 hours, when there were code commits. IQ server determines that the evaluation is up-to-date and does not initiate application evaluation.

Other benefits of default branch monitoring

Default branch monitoring enables maintaining a continuous risk profile for Nexus IQ applications until external policy evaluations based on the user/organization needs (specific applications, development stages, and evaluation times) have been configured to run as CLI or CI processes. This feature combined with Automated Pull Requests provides automatic PRs with fixes for components introduced in the main branch that have policy violations.

Viewing the application evaluation reports generated by default branch monitoring

The default branch monitoring process iterates through all IQ applications to check for the last evaluation, before initiating an evaluation. The start time setup in the source control configuration settings is the time when this process kicks in. This time will differ from the evaluation time reported on an IQ application. The time of application evaluation depends on the number of applications that the monitoring process needs to check, before initiating the evaluation.

The most recent report for an application default branch is accessible in the Reports section:


Feature Branch Monitoring

Nexus IQ for SCM periodically detects changes on feature branches that have pull requests, executes policy evaluations on the changed feature branches and updates pull request comments when policy violations are resolved or introduced.

Feature branch monitoring only works on repositories that cannot be accessed publicly. Repositories must be private or internal for all supported providers, except GitHub Enterprise, for which all repositories will work.

Prerequisites for feature branch monitoring

The following criteria are prerequisites for automatic policy evaluations of feature branches:

  1. The selected repository is configured for source control, as described in Nexus IQ for SCM.
  2. The feature branch has an associated open Pull Request.