Configuring SOOS is quick and easy, and can be done at either the global or project level.

In order to configure your SOOS application, select Configure from the left navigation.

Global Configurations
  • On the Configure page, you'll first want to set your Global Settings; Ensure the Project dropdown is set to Global. 
    • Define your internal packages by adding one or more package IDs as Package Masks. Read more about Using Package Masks here.
    • For accounts that are integrated with GitHub or CI/CD build systems, if you prefer to scan only a subset of your repo branches, rather than the contents of all your repos, enter the desired branch names in the Branch Scan Filter.
      • All Branch Scan Filters will include main and master by default.  Removing the default branches will display the (*) wildcard and results in all branches within integrated repositories will be scanned.
      • When adding a branch to the filter, check the Daily Rescan setting if you would like the branch to be automatically scanned every day, regardless of any repo activity such as commits.
      • Using the Daily Rescan ensures that branches with infrequent changes or release branches continue to be scanned for new vulnerabilities and other issues.

    • If you have integrated with GitHub, enabling GitHub Webhooks under GitHub Settings will trigger SOOS to initiate a new scan each time you make a commit.  
      • If Webhooks are not enabled you can scan your GitHub projects using the Quickscan function.
    • GitHub Pull Request configurations allow the user to structure settings necessary for sending pull requests to the SOOS GitHub App for identified vulnerabilities.
    • Under Dependency Settings, you can specify each of the following preferences to apply globally to your scans:
      • Use Lock File - Enable this setting to always ignore non-lock manifests if a lock file is detected.  Read more about using lock files vs non-lock file manifests.
      • Scan Full Dependency Tree - This setting is enabled by default for all new accounts.  Disable this setting to restrict SOOS scans to direct dependencies only.
      • Include Dev/Test Dependencies - Including Dev Dependencies may increase the time each scan takes to complete, in some instances.
    • Within Scan Settings, you have the option to configure SOOS to fail the build based on customized issue severity thresholds for each of the different issue types.
      • Note: For these settings to apply, the waitForScan parameter must be enabled!
    • Finally, under Issue Settings, select the default action to perform when generating a fix. 

 

Project Configurations

Once you've saved your Global settings, you can move on to Project settings.  Project level configuration is only necessary if you want a project to be configured differently, otherwise, all projects will follow your Global settings.

  • To adjust configurations at a project level, select the desired option from the Project dropdown.
  • To  customize configurations for the selected project, click the globe icon next to the desired setting to allow the global setting to be overridden, then update the setting to reflect the desired behavior for the chosen project.
    • Note: GitHub Webhook settings can only be enabled at the Global level.  This setting will not be shown on the Configure page when a project has been selected.
  • Save the Project-level configurations and repeat for all other projects as desired.