At Sonatype, we work continuously to increase awareness of open source risk, and decrease the time it takes you to make your applications safe. It is our never ending quest to shift security left. We’ve rolled out even more granular and automated policy feedback with pull request comments directly in GitHub.
Developers need to know where potential policy violations or security vulnerabilities are introduced so that they can address and fix the issues efficiently and effectively. This reduces time to remediation and minimizes manual work. Our new PR commenting feature for GitHub notifies a developer when the code they commit introduces risk or breaks a build, and why. When you run a policy evaluation on the branch you are working on, we'll automatically leave feedback with contextual comments on vulnerabilities that were introduced in that specific branch. By being notified if and where violations were introduced, we enable you to react faster and decrease risk to your organization.
Why SCM Integrations?
Source control management systems, like GitHub, GitLab, and Bitbucket, are often the first place where a piece of code gets shared and reviewed. At Sonatype, we enable developers to push quality control of their application into their SCM tools, and run evaluations against policy configurations in Nexus Lifecycle. The results help developers choose the best components that comply with company policies and are the safest.
Any time a new package or component is brought into the code, multiple new dependencies may be introduced -- even hundreds, depending on the component selected. Given the speed of development, sheer number of dependencies and possible vulnerabilities, there is an increased need for automation and immediate feedback.
Holistic Application Scans & Automated Pull Requests
The Nexus Platform provides information for the entire DevSecOps organization across the SDLC. Nexus Lifecycle generates global reports of all the vulnerabilities inside an application. This information is extremely valuable to security professionals and leverages our highly-curated Nexus Intelligence data. Developers, however, want a view that is more specific to them. They need contextual feedback on the code they are actively working on, and automation of manual tasks to keep up with the speed of development.
We also enable automated pull requests for Java and npm to automate security scanning. As part of continuous monitoring, we watch for new versions of dependencies and automatically open pull requests which can be easily reviewed and merged to make sure your applications stay up to date.
Here we create an automatic pull request to remediate a policy violation in an npm package and bump the version of react.dom:
Specific & Timely Feedback
PR comments are more specific, and apply to accountable or net-new violations that a developer may have introduced. The commit feedback is contextual to the individual branch they are working on for code changes they just made. They give developers all the information they need to make better component decisions at the most opportune time.
Here is an example of the automated commit feedback in a PR comment with a list of vulnerabilities, threat level of each, and link to the full details in Nexus Lifecycle.
We offer more developer tools and integrations to find, investigate, and remediate policy and security violations. Put security and information at the developers fingertips. Decrease risk from the start.
