Developers gain contextual feedback with automated pull request commenting
By Kevin Miller
3 minute read time
At Sonatype, we work continuously to increase awareness of open source risk and decrease the time it takes you to make your applications safe. It is our never-ending quest to shift security left. We've rolled out even more granular and automated policy feedback with pull request comments directly in GitHub.
Developers need to know where potential policy violations or security vulnerabilities are introduced, so that they can address and fix the issues efficiently and effectively. This reduces time to remediation and minimizes manual work. Our new PR commenting feature for GitHub notifies a developer when the code they commit introduces risk or breaks a build and why it does so.
When you run a policy evaluation on the branch you are working on, we'll automatically leave feedback with contextual comments on vulnerabilities that were introduced in that specific branch. By being notified if and where violations were introduced, we enable you to react faster and decrease risk to your organization.
Why SCM Integrations?
Source control management systems, like GitHub, GitLab, and Bitbucket, are often the first place where a piece of code gets shared and reviewed. At Sonatype, we enable developers to push quality control of their application into their SCM tools, and run evaluations against policy configurations in Sonatype Lifecycle. The results help developers choose the best components that comply with company policies and are the safest.
Any time a new package or component is brought into the code, multiple new dependencies may be introduced, even hundreds, depending on the component selected. Given the speed of development, sheer number of dependencies and possible vulnerabilities, there is an increased need for automation and immediate feedback.
Holistic application scans and automated pull requests
The Sonatype Platform provides information for the entire DevSecOps organization across the SDLC. Sonatype Lifecycle generates global reports of all the vulnerabilities inside an application. This information is extremely valuable to security professionals and leverages our highly-curated Sonatype Intelligence data. Developers, however, want a view that is more specific to them. They need contextual feedback on the code they are actively working on, and automation of manual tasks to keep up with the speed of development.
We also enable automated pull requests for Java and npm to automate security scanning. As part of continuous monitoring, we watch for new versions of dependencies and automatically open pull requests which can be easily reviewed and merged to make sure your applications stay up-to-date.
Here we create an automatic pull request to remediate a policy violation in an npm package and bump the version of react.dom:
Specific and timely feedback
PR comments are more specific, and apply to accountable or net-new violations that a developer may have introduced. The commit feedback is contextual to the individual branch they are working on for code changes they just made. They give developers all the information they need to make better component decisions at the most opportune time.
Here is an example of the automated commit feedback in a PR comment with a list of vulnerabilities, threat level of each, and link to the full details in Sonatype Lifecycle.
We offer more developer tools and integrations to find, investigate, and remediate policy and security violations. Put security and information at the developers fingertips. Decrease risk from the start.
Written by Kevin Miller
Kevin Miller is a Product Marketing Manager at Sonatype where he works to empower the development community to shift component choice and security left. He believes that putting the right tools and options in the hands of developers will help accelerate software innovation and minimize open source risk.
Explore All Posts by Kevin Miller