Source Scan

The Source Scan, scans both public and private repositories from the Git and Bitbucket. The scanning process includes SAST (Static Application Security Testing), code license verification, secret detection, and component analysis.

By integrating OpsMx Delivery Shield with your Bitbucket repository, you gain continuous, automated source code scanning that enhances the security of your software delivery pipeline. Regular scans, detailed reporting, and advanced features like CI/CD integration ensure that your software is built with security in mind from the very beginning.

This page explains the process of Source Scan for Bitbucket repository.

Before starting with the scan, you need to integrate Bitbucket with the OpsMx platform. Follow the steps provided in Integrating BitBucket to complete the process.
Once the Bitbucket integrator is connected to OpsMx you can start with the source scan.

To Access Source Scan

Click on Scan Now button at the top right corner of the screen.

In the screen that appears, select Source Scan from the left panel.

Now you can Add Project, Upload Project or Sync Project to proceed with the scan.

To Add a Project

To add or update a new project with source scan configurations, for scanning, click Add Project.
The Create Project details page is displayed as shown below. Enter the details for the following fields:

Name : Enter a name for the project.
Team : Select the team for which you want to create the project.
Scan Type : The default type is Source Scan.
Platform : Select the platform type, the platform where the code resides (Github, Gitlab Server, Bitbucket, Bitbucket Server, Azure, Azure Server) for the project.
Account : Choose the needed account that has been integrated for the selected platform. If no account is available for the selected platform then click Add Account.
- The integration page is displayed. You can add a new account.
Organization / Workspace : Choose the organization or workspace that the selected account has access to.
Scan Level : Select the scan level; either organization level or repository level that needs to be scanned.
Configuration : Set the configuration details, and schedule the auto scan time.
- Repo /Project : Select the repo or project name for which the scan needs to be executed.
- Branch : Select the branch name for which the scan needs to be executed.
- Branch Pattern : Select the branch pattern for which the scan needs to be executed.
- Scan Upto : Select the branch limit for which the scan needs to be executed. (number of branches to be scanned)
- Schedule Auto Scan : Select the time range during which the scan needs to be rerun automatically.
Click Save.

The project gets added for scanning.

To Upload a Project

To upload a project from your local, for scanning, click Upload Project.

Click Upload File and select the json file that you want to add for scanning.

Click Save.

The file gets added for scanning.

To Sync Project

To Sync a project, for scanning, you can either sync it from Argo GitHub repository to SSD or add the project details in code format.

Syncing Projects from Argo Github Repository

In a regular working instance of SSD with argo setup, config map with name adhoc-project-cm needs to be synced with argo github repository. The YAML file name should be project.yaml.

E.g.

Given below is a sample file that can be synced using argo. When synced this will create a config map with name adhoc-project-cm with project.yaml file containing one sample project

apiVersion: v1
kind: ConfigMap
metadata:
  name: adhoc-project-cm
data:
  project.yaml: |
    - name: bitbucket-ws1
      scanType: sourceScan
      platform: bitbucket
      accountName: bitbucket
      teamName: default
      scanLevel: repoLevel
      organisation: OpsMx
      type: organisation
      projectConfigs:
        - repository: docker-swarm
          scheduleTime: 0
          branch:
            - main
          branchPattern: ''
          scanUpto: 1
        - repository: issue-generator
          scheduleTime: 0
          branch:
            - fixes
            - grype
            - main
          branchPattern: ''
          scanUpto: 3

Org level integrator account name: “dev”

Team level integrator account name: "dev (<team-name>)",

Env level integrator account name: "dev (<team-name>) [<env-name>]",

kubectl apply -f project.yaml -n <namespace>

Syncing Projects in Code Format

To Sync projects in code format add the project details int he given format below:

[
  {
    "name": "bitbucket-ws",
    "scanType": "sourceScan",
    "platform": "bitbucket",
    "accountName": "bitbucket",
    "teamName": "default",
    "scanLevel": "repoLevel",
    "organisation": "OpsMx",
    "type": "organisation",
    "projectConfigs": [
      {
        "repository": "docker-swarm",
        "scheduleTime": 0,
        "branch": [
          "main"
        ],
        "branchPattern": "",
        "scanUpto": 1
      },
      {
        "repository": "issue-generator",
        "scheduleTime": 0,
        "branch": [
          "fixes",
          "grype",
          "main"
        ],
        "branchPattern": "",
        "scanUpto": 3
      }
    ]
  }
]

To View and Interpret Scan Results

Once the scan is complete, OpsMx generates the overall results and they are displayed as shown below:

Repos Registered
Total Branches
Total Scans
Total Projects
Auto Scan Enabled Repos

The panel at the bottom displays the project details. On expanding each project you can view the complete details of it.

To edit the configuration details of the project, click the Edit Configuration button.
Click the View option in the Action button, to view the SAST and SCA scan results of the project.

Click the Download button to download the scan results.

Best Practices

To get the most out of OpsMx Delivery Shield Source Scan, consider following these best practices:

Frequent Scanning: Run the scans regularly (e.g., after each commit or weekly) to detect the vulnerabilities early.
CI/CD Pipeline Integration: Incorporate source scanning into your continuous integration/continuous deployment pipeline to identify the issues before they go live.
Alerts and Notifications: Set up alerts to notify your team when critical vulnerabilities are detected, to address them promptly.
Fixing Issues in Advance: Address vulnerabilities as soon as they are found to prevent issues from piling up.

Troubleshooting

If you encounter any issues during or after the scan, check the following:

Connection Issues with Bitbucket:
- Ensure that the correct authentication methods (OAuth, API tokens, SSH) are set up properly.
- Verify that the OpsMx account has the necessary permissions to access the Bitbucket repository.
- Check for bitbucket url whitelisting in supplychain api configmap

PreviousScan Now NextArtifact Scan

Last updated 9 days ago