Configuring SOOS is quick and easy, and can be done at either the global or project level.
In order to configure your SOOS application, select Configure from the left navigation.
Global Configurations
- On the Configure page, you'll first want to set your Global Settings; Ensure the Project dropdown is set to Global.
Define Your Packages
Define your internal packages by adding one or more package IDs as Package Masks. Read more about Using Package Masks here.
Branch Scan Filters
For accounts that are integrated with GitHub or CI/CD build systems, if you prefer to scan only a subset of your repo branches, rather than the contents of all your repos, enter the desired branch names in the Branch Scan Filter.
- All Branch Scan Filters will include main and master by default. Removing the default branches will display the (*) wildcard and results in all branches within integrated repositories will be scanned.
- When adding a branch to the filter, check the Daily Rescan setting if you would like the branch to be automatically scanned every day, regardless of any repo activity such as commits.
- Using the Daily Rescan ensures that branches with infrequent changes or release branches continue to be scanned for new vulnerabilities and other issues.
- The Retention Period selection allows users to schedule the automatic removal of inactive, unneeded branches. The length of time indicated represents how much time has passed since the last scan was initiated.
GitHub Settings
-
- If you have integrated with GitHub, enabling GitHub Webhooks under GitHub Settings will trigger SOOS to initiate a new scan each time you make a commit.
- If Webhooks are not enabled you can scan your GitHub projects using the QuickScan function.
- Indicate a custom Build Version File Name to tag your scan with a version using anything other than the default
soos_version.txt
file.
- If you have integrated with GitHub, enabling GitHub Webhooks under GitHub Settings will trigger SOOS to initiate a new scan each time you make a commit.
GitHub Pull Requests
- GitHub Pull Request configurations allow the user to structure settings necessary for sending pull requests to the SOOS GitHub App for identified vulnerabilities.
Dependency Settings
Under Dependency Settings, you can specify each of the following preferences to apply globally to your scans:
- Use Lock File - Enable this setting to always ignore non-lock manifests if a lock file is detected. Read more about using lock files vs non-lock file manifests.
- Scan Full Dependency Tree - This setting is enabled by default for all new accounts. Disable this setting to restrict SOOS scans to direct dependencies only.
- Include Dev/Test Dependencies - Including Dev Dependencies may increase the time each scan takes to complete, in some instances.
Scan Settings
- Within Scan Settings, you have the option to configure SOOS to fail the build based on customized issue severity thresholds for each of the different issue types.
- Note: For these settings to apply, the
waitForScan
parameter must be enabled!
- Note: For these settings to apply, the
Issue Management Configuration
- Under Issue Management Configuration, select the default issue management tool to use when generating a fix.
- Currently we integrate with JIRA, Azure DevOps, and GitHub. Your options in this section will be determined by the ticketing system(s) you are integrated with.
Global Issue Suppressions
This is where you will find a list of all issues that have been suppressed across all branches of all projects. To cancel the global suppression, select the "X" to delete it.
Project Configurations
Once you've saved your Global settings, you can move on to Project settings. Project level configuration is only necessary if you want a project to be configured differently, otherwise, all projects will follow your Global settings.
- To adjust configurations at a project level, select the desired option from the Project dropdown.
- To customize configurations for the selected project, click the globe icon next to the desired setting to allow the global setting to be overridden, then update the setting to reflect the desired behavior for the chosen project.
- Note: GitHub Webhook settings can only be enabled at the Global level. This setting will not be shown on the Configure page when a project has been selected.
- Note: GitHub Webhook settings can only be enabled at the Global level. This setting will not be shown on the Configure page when a project has been selected.
- Save the Project-level configurations and repeat for all other projects as desired.