Developers need to know when and where violations were introduced in their applications so that they can address and remediate the issues efficiently and effectively. The earlier they get this information in the software development life cycle (SDLC), the easier it is to fix. So effective integrations like Azure DevOps help developers shift left, keep applications secure, and speed up the pace of innovation.
How are development teams using Source Control Management systems?
Modern Source Control Management (SCM) systems provide a forum for ease of collaboration among developers as software evolves, where code gets shared and reviewed by both humans and machines. Developers are able to perform quality control of their application by enabling feedback via code reviews on both commits and pull requests.
The integration helps support customers throughout their open source software (OSS) governance growth and expansion. We can now onboard all of an organization's applications that are stored in their source control repository, as well as delivering an Instant Risk Profile of the OSS used in these applications.
Sonatype Lifecycle can continue to evaluate the customer's source control to understand how these applications change over time. By leveraging continuous monitoring, we can suggest component updates and create automatic pull requests for new violations that are discovered in deployed applications.
Scanning all new pull requests means that we can deliver feedback to developers on net-new vulnerabilities during the code review process. And the best time to deliver these insights is when they’re actively writing and submitting code.
What are the main integration points between Sonatype Lifecycle and SCMs?
Easy onboarding and Instant Risk Profile
Sonatype Lifecycle provides an enhanced experience to quickly onboard applications from GitHub, GitLab, Bitbucket, and Azure DevOps. This simplifies adoption and implementation across a development org, drastically reducing the time to remediation.
An Instant Risk Profile is created by automatically scanning the applications at the time of onboarding. We create a software bill of materials (SBOM) for all of the repositories and do an automatic policy evaluation to assess the level of risk. We deliver all of this in a report with remediation insights so our customers can understand their exposure across all of their applications and start to formulate a plan to fix the violations.
Automated pull requests
Automated pull requests (GitLab calls them "Merge Requests") are used as part of continuous monitoring to automate security scanning. Sonatype Lifecycle will watch for new versions of dependencies and automatically open pull requests for developers if we find policy violations. The PRs can easily be reviewed and merged to make sure applications stay up to date.
If a version exists that fixes the violation, we will provide details for the next-best version, not just the newest version, unlike some of our competitors. This is because the next version can still contain the violation.
Pull request comments
PR comments are more specific than Auto PRs, and apply to new violations that are introduced when developers are actively writing and committing code. PR commenting notifies developers when code they commit in SCM will introduce risk or break a build and why. The feedback is contextual to the individual branch they are working on for code changes they just made.
Video introduction for Azure DevOps functionality (view on on play.sonatype.com)
ADP feedback can be added to pull request commenting
High-performing teams need solutions that make their development practices better. The best-performing organizations are applying automation to help them manage their open source component choices and updates. Knowing what components to avoid from the start of a project, either because it doesn't fit policy or is associated with abnormal committer behavior, saves developers an incredible amount of time. Sonatype Lifecycle customers now have the opportunity to gain additional insights in their pull request comments by enabling Sonatype's Advanced Development Pack (ADP).
Using the Advanced Development Pack, teams will be able to better understand:
the cost (read: effort) of migrating to a newer or safer version, as well as whether it's possible to do so without breaking the code.
the performance of open source projects they are choosing when it comes to release frequency, cadence of dependency updates, development team size, and popularity. These help guide choices to a higher quality pool of components.
the frequency in which dependencies have become vulnerable and are remediated - giving a better grasp on the cost and threat of relying on such packages.
We're working to make sure developers have all the information they need to make better component decisions at the right time based on our trusted recommendations. Talk to someone on our team today to learn more about getting early, precise feedback directly in your Git environment.