Source Control Configuration Overview
Overview
Sonatype Lifecycle can connect to your Source Control Management (SCM) system with an access token to scan your projects during the development phase. The access token can be set at the Root Organization level. This page provides the configuration steps for SCM.
The IQ Server base URL must be configured for Source Control Features to function.
Configuration Checklist
Follow the steps below to connect your SCM system to Sonatype Lifecycle.
- Create SCM Access Token
- Configure base URL in IQ Server
- Navigate to Source Control at the Root Organization
- Select Source Control Management System
- Add your SCM Access Token (created in step 1) to enable Lifecycle features
- Enter the Default Branch
- Toggle Use SSH for Git Operations
- Toggle Automated Pull requests
- We recommend disabling it when used with Easy SCM Onboarding
- Toggle Pull Request Commenting
- Recommended for all repositories.
- Toggle Source Control Evaluations
- Recommended for all repositories.
- NEW IN RELEASE 161 Select Automated Commit Feedback
- If you are importing a large number of applications, this may cause you to hit SCM rate limits. In such scenarios, we recommend disabling Automatic Commit Feedback, during the import. You can enable this after the import, for all the repositories.
- Optional: Create separate access tokens for IQ Server Organizations using different SCM Systems
- Optional: Configure additional SCM Features
SCM Feature Configuration
The table below shows where the SCM feature is configured.
| Feature | Configuration |
|---|---|
| Automatic Pull Requests | Configured at the Organization or Application level.
|
| SSH Operations | Configured at the Organization or Application level.
|
| Pull Request Commenting | Configured at the Organization or Application level.
|
| Pull Request Line Commenting | Enabled with Pull Request Commenting. |
| Source Control Evaluations | Configured at the Organization or Application level.
|
| Automated Commit Feedback | Configured in SCM Provider. NEW IN RELEASE 161Configured at the Organization or Application level.
|
| Automatic SCM Configuration | Configured on the page accessed through Settings Menu. |
| Easy SCM Onboarding | Application import feature. Requires SCM Access token configured. |
| Bitbucket Code Insights | Configured with Pull Request Commenting |
Create Access Token
Select your SCM provider below for information on creating an access token and configuring your SCM System for use with Sonatype Lifecycle.
Required Token Permissions
| Feature | Azure DevOps | Bitbucket Cloud | Bitbucket Server | GitHub | GitLab |
|---|---|---|---|---|---|
| Automated Commit Feedback | api | ||||
| Automated Pull Requests | under | under | api + write_repository | ||
| Pull Request Commenting | under | api | |||
| Pull Request Line Commenting | under | api | |||
| Bitbucket Code Insights | under | N/A | N/A |
Dealing with SCM API rate limits
When an SCM system's API interacts with Nexus IQ, the SCM system enforces some form of limitation on the volume and frequency of interaction with their APIs; GitHub appears to be the most restrictive. GitHub limits API requests to 5000 per hour per user and specifies at least a one-second delay between requests. As the number of applications that IQ Server manages increases, the workload demanded of the SCM API also increases. This translates to a delay between, for example, the time the workload is initially processed and the time before a comment is added to a pull request.
Since the SCM system API limitations are per user, organizations with hundreds or thousands of repositories should create multiple users/access tokens and use different tokens for different sub-organizations in IQ Server. This allows IQ Server to perform more work in parallel with the SCM system. The additional tokens must be for distinct SCM users — multiple tokens for the same user will not help since the API rate limits apply at the user level and not the token level. A reasonable starting point would be one user/token for every 500 repositories.