| What’s the expectation for today’s Developers? | Quickly and independently develop, test, and deploy code into production – safely and securely – for you and your team. Doing the security part up front rather than wait until the end of the process where code has already been moved to production. |
| How do you accomplish that? | Use a tool that can automate open source governance, enforce policies, and remediate vulnerabilities, BEFORE you send to production. |
| But Why? | Long story short – it saves you time. “I could do stuff manually, but with more pain and I’d rather be coding.” Shifting left helps you make better choices early, saving time further down the life cycle. |
This course will describe how shifting-left and selecting better components for your applications before they are tightly integrated into the application codebase, will drastically reduce friction and process costs further down the release cycle.
We will review how to analyze component risks within your Integrated Development Environment (IDE) including – security, license, and compliance with established organizational policies which will help you remediate quickly and effectively.
For this course, we’ve demonstrated using the Eclipse IDE. Though, it’s important to note that Sonatype Lifecycle also integrates with IntelliJ and Visual Studio plugins.
Objectives
By the end of this course, you will be able to:
- Describe the impact of making better component choices earlier in the SDLC
- Describe how Sonatype Lifecycle IDE Integration fits into the Sonatype Platform
- Articulate the differences between an IDE Integration analysis and a Continuous Integration scan
- Select the best integration option for your particular project
- Determine the right place and time to introduce developer tooling into your DevSecOps process to make better component choices earlier in the SDLC
- Make informed decisions about which component versions to target for an upgrade
- Use the IDE plugin to review policy violations
- Locate the Policy Violations, License Analysis and Security Issues section in the Component Info tab
- Identify OSS policy threats (security, legal, and architectural), current version used, and whether better versions of your components are available
- Differentiate between direct and transitive dependencies
- Upgrade components using the migrate functionality within the IDE plug-ins
Prerequisites
Intro to Lifecycle
Organization Policies in Lifecycle
Target Audience
The target audience for this course includes developers, software engineers, and others who want to know more about using Sonatype Lifecycle in their IDEs.
Estimated Time to Complete
45 minutes
System Requirements
It is assumed that your IDE Plugin is installed and configured. Step-by-step directions are available:
- Installing Lifecycle for Eclipse
- Installing Lifecycle for IntelliJ IDEA
- Installing Lifecycle for Visual Studio
The product version used in this course may be different than your own. The screens may have a different display, but the content and concepts remain generally the same.
The Sonatype platform is available in cloud, self-hosted, and disconnected deployment options. Be advised that the visuals in this course could be sourced from any (or all) of the three. The screens may have a different display, but the content and concepts remain generally the same.
Setting Expectations
For this course, the screens we’ve demonstrated use the Eclipse IDE. Note that Lifecycle also integrates with IntelliJ and Visual Studio plugins.
Refer to our Glossary for more information on any of the terms used throughout this course.
Integrations in the IDE are the first line of defense. Substituting valuable time in the pipeline for early vulnerability discovery, making refactoring less painful and time-consuming, is adding value to the delivery of the team.