There are many ways to configure SOOS to alert you about vulnerable or non-compliant code. To ensure that problematic code is never committed to a repository, you can configure SOOS to fail scans when vulnerabilities or violations are encountered.
Here are the steps to take to prevent problematic code from being committed to a repository:
Set the scan step in your CI/CD pipeline to wait for the scan results.
- This will ensure that your scan step will fail the build in the presence of vulnerabilities or violations (if the corresponding settings are enabled in the app).
- If the scan step is not set to wait for the scan results, the step will not be able to fail the build.
- If the scan step receives a failure status from the results, it will fail the build.
Configure your scan failure conditions.
The SOOS application provides multiple settings that specify failure conditions for your scans:
Vulnerability Failure Conditions
- Customize these settings on the Configure page in the SOOS UI to apply globally or at the project level.
- For each vulnerability type indicate the specified severity level that will produce a failure flag causing the scan to complete with a failure status.
Governance Policy Violation Failure Conditions
Configure these settings when building each independent policy in the Governance page. Policies can be applied globally or at the project level.
- When creating policies, select the desired severity level for violations of the policy. For existing policies simply update this setting.
- Access the Scan Settings on the Configure page and select the desired Violation severity that will trigger a scan failure.
If you wish to know immediately when a scan fails, you can arrange to have notifications sent via email to an address of your choice. Find this option in the Organization settings under your user settings in the left navigation menu.