Source Control Configuration Overview

Overview

Sonatype Lifecycle can connect to your Source Control Management (SCM) system with an access token to scan your projects during the development phase. The access token can be set at the Root Organization level. This page provides the configuration steps for SCM.

The IQ Server base URL must be configured for Source Control Features to function.

Configuration Checklist

Follow the steps below to connect your SCM system to Sonatype Lifecycle

  1. Create SCM Access Token
  2. Configure base URL in IQ Server
  3. Navigate to Source Control at the Root Organization
  4. Select Source Control Management System 
  5. Add your SCM Access Token (created in step 1) to enable Lifecycle features
  6. Enter the Default Branch
  7. Toggle Use SSH for Git Operations
  8. Toggle Automated Pull requests 
    • We recommend disabling it when used with Easy SCM Onboarding
  9. Toggle Pull Request Commenting
    • Recommended for all repositories. 
  10. Toggle Source Control Evaluations
    •  Recommended for all repositories. 
  11. NEW IN RELEASE 161 Select Automated Commit Feedback
    • If you are importing a large number of applications, this may cause you to hit SCM rate limits. In such scenarios, we recommend disabling Automatic Commit Feedback, during the import. You can enable this after the import, for all the repositories.
  12. Optional: Create separate access tokens for IQ Server Organizations using different SCM Systems
  13. Optional: Configure additional SCM Features

SCM Feature Configuration

The table below shows where the SCM feature is configured.

FeatureConfiguration
Automatic Pull RequestsConfigured at the Organization or Application level.
  • Inherited by default (disabled by default at the root organization)
SSH Operations

Configured at the Organization or Application level.

  • Inherited by default (disabled by default at the root organization)
Pull Request Commenting

Configured at the Organization or Application level.

  • Inherited by default (enabled by default at the root organization)
Pull Request Line CommentingEnabled with Pull Request Commenting.
Source Control Evaluations

Configured at the Organization or Application level.

  • Inherited by default (enabled by default at the root organization)
Automated Commit Feedback

Configured in SCM Provider.

NEW IN RELEASE 161Configured at the Organization or Application level.

  • Inherited by default (enabled by default at the root organization)
Automatic SCM ConfigurationConfigured on the page accessed through Settings Menu.
Easy SCM OnboardingApplication import feature. 
Requires SCM Access token configured. 
Bitbucket Code InsightsConfigured with Pull Request Commenting

Create Access Token

Select your SCM provider below for information on creating an access token and configuring your SCM System for use with Sonatype Lifecycle.

Required Token Permissions

FeatureAzure DevOpsBitbucket CloudBitbucket ServerGitHubGitLab
Automated Commit FeedbackCode: Read & Write
Read under RepositoriesRead under Repositoriesrepo:status

api

Automated Pull RequestsCode: Read & WriteWrite under Pull Requests
Write under Repositoriesrepoapi + write_repository
Pull Request CommentingCode: Read & Write

Write under Repositoriesrepoapi
Pull Request Line Commenting
Write under Repositoriesrepoapi
Bitbucket Code InsightsWrite under RepositoriesN/AN/A

Dealing with SCM API rate limits

When an SCM system's API interacts with Nexus IQ, the SCM system enforces some form of limitation on the volume and frequency of interaction with their APIs; GitHub appears to be the most restrictive. GitHub limits API requests to 5000 per hour per user and specifies at least a one-second delay between requests. As the number of applications that IQ Server manages increases, the workload demanded of the SCM API also increases. This translates to a delay between, for example, the time the workload is initially processed and the time before a comment is added to a pull request.

Since the SCM system API limitations are per user, organizations with hundreds or thousands of repositories should create multiple users/access tokens and use different tokens for different sub-organizations in IQ Server. This allows IQ Server to perform more work in parallel with the SCM system. The additional tokens must be for distinct SCM users — multiple tokens for the same user will not help since the API rate limits apply at the user level and not the token level. A reasonable starting point would be one user/token for every 500 repositories.