Overview
Score an easy win by importing your Source Control Manager (SCM) repositories into Sonatype Lifecycle and get an initial glimpse of the risk they pose. After you load the source code into Lifecycle, access the results of the baseline scan (Instant Risk Profile).
These baseline results identify the highest priority (most vulnerable) applications in the repository. Your development teams will benefit, knowing which applications need to be prioritized when working through your remediation plan.
Course Goals
This course will help you optimize your onboarding experience. Easy SCM Onboarding is designed to quickly onboard, configure, and scan up to 15 repos at a time. This enables rapid visibility into your open source risks for critical applications.
Objectives
By the end of this course, you will be able to:
- Describe the Easy SCM Onboarding process
- Onboard (Import) your repositories / applications
- View the results of the Instant Risk Profile
- Search the Instant Risk Profile results
| Prerequisites | There is no required coursework prior to beginning of this course. However we do recommend Intro to Sonatype Lifecycle – Foundations for new users, it will likely aid in better understanding the benefits of the Sonatype Lifecycle. |
| Target Audience | This course is designed for new users who are onboarding applications / repositories into Sonatype Lifecycle. |
| Est. Time to Complete | 35 minutes |
| System Requirements | Before you can scan applications from source control you’ll need the following: – An account with a supported source control system. Currently, we support GitHub, GitLab, Bitbucket, and Azure DevOps – A repository in that source control system – An access token for your source control management system – An installation of Sonatype Lifecycle version 109 or later – To set up a local instance of Lifecycle, follow the installation steps in the Lifecycle Quickstart guide. This should primarily be used for testing purposes prior to integrating Lifecycle into your development environment. – Information about deploying Lifecycle into your production Software Development Life Cycle (SDLC) can be found in the help documentation, Getting Started. -Permission to change the root organization in your instance of Lifecycle – You must configure the base URL before attempting to configure notifications for your team. If your Base URL is not set, links that direct back to the IQ Server will not work. Note: The product version used in this course may be different than your own. The screens may have a different display, but the content and concepts remain generally the same. |
| Setting Expectations | The onboarding scan is a one-time scan of your source code designed to give you an initial picture of an application’s risk. But an automatic scan will be performed every 24 hours at the source stage until the scan is integrated in the Continuous Integration (CI) pipeline then it’ll stop. This scan also helps your team prioritize any remediation work that will need to be done. Use the results with the highest priority (most vulnerable) from the repository to get started. |
Ratings and Reviews
Ingmar
A good introduction into setting up lightweight scanning of source code repositories for the low hanging fruit of open source violations. In the bigger picture this is a nice and easy setup for initial disclosure of easy to spot OSS vulnerabilities, also integrating with pull request commenting, which could save time for developers when used efficiently,
Great tool to help you get basic insights into your open-source risk in your applications.