Configuring SOOS is quick and easy, and can be done at either the global or project level.

In order to configure your SOOS application, select Configure from the left navigation.

Global Configurations

  • On the Configure page, you'll first want to set your Global Settings; Ensure the Project dropdown is set to Global. 
Define Your Packages

Define your internal packages by adding one or more package IDs as Package Masks. Read more about Using Package Masks here.

Branch Scan Filters

For accounts that are integrated with GitHub or CI/CD build systems, if you prefer to scan only a subset of your repo branches, rather than the contents of all your repos, enter the desired branch names in the Branch Scan Filter.

  • All Branch Scan Filters will include main and master by default.  Removing the default branches will display the (*) wildcard and results in all branches within integrated repositories will be scanned.
  • When adding a branch to the filter, check the Daily Rescan setting if you would like the branch to be automatically scanned every day, regardless of any repo activity such as commits.
    • Using the Daily Rescan ensures that branches with infrequent changes or release branches continue to be scanned for new vulnerabilities and other issues.
  • The Retention Period selection allows users to schedule the automatic removal of inactive, unneeded branches.  The length of time indicated represents how much time has passed since the last scan was initiated.  Note: If there are no branches left in a project, the project will also be deleted.
GitHub Settings
    • If you have integrated with GitHub, enabling GitHub Webhooks under GitHub Settings will trigger SOOS to initiate a new scan each time you make a commit.  
      • If Webhooks are not enabled you can scan your GitHub projects using the QuickScan function.
    • Indicate a custom Build Version File Name to tag your scan with a version using anything other than the default soos_version.txt file. 
GitHub Pull Requests 
  • GitHub Pull Request configurations allow the user to structure settings necessary for sending pull requests to the SOOS GitHub App for identified vulnerabilities.
Dependency Settings

Under Dependency Settings, you can specify each of the following preferences to apply globally to your scans:

  • Use Lock File - Enable this setting to always ignore non-lock manifests if a lock file is detected.  Read more about using lock files vs non-lock file manifests.
  • Scan Full Dependency Tree - This setting is enabled by default for all new accounts.  Disable this setting to restrict SOOS scans to direct dependencies only.
  • Include Dev/Test Dependencies - Including Dev Dependencies may increase the time each scan takes to complete, in some instances.
  • SBOM Dependency Source (SBOM Manager license only) - Controls dependency parsing and dependency tree resolution.
Scan Settings
  • Within Scan Settings, you have the option to configure SOOS to fail the build based on customized issue severity thresholds for each of the different issue types.
    • Note: For these settings to apply, the waitForScan parameter must be enabled!
      Scan settings to break the build on configure page
  • Manage vulnerability compliance to your internal SLA thresholds by setting the number of days your dev team has to fix vulnerabilities of each severity. 
  • If desired, set scans to fail if vulnerabilities are out of compliance of SLA thresholds.
Code Settings

SAST Connector license only

  • Select the severity threshold for SAST issues that will be imported during SAST file scans.
Issue Management Configuration
Global Issue Suppressions

This is where you will find a list of all issues that have been suppressed across all branches of all projects.  To cancel the global suppression, select the "X" to delete it.

Global issue suppression list on configure page

Project Configurations

Once you've saved your Global settings, you can move on to Project settings.  Project level configuration is only necessary if you want a project to be configured differently, otherwise, all projects will follow your Global settings.

  • To adjust configurations at a project level, select the desired option from the Project dropdown.
    Project dropdown on configure page
  • To  customize configurations for the selected project, click the globe icon next to the desired setting to allow the global setting to be overridden, then update the setting to reflect the desired behavior for the chosen project.
    • Note: GitHub Webhook settings can only be enabled at the Global level.  This setting will not be shown on the Configure page when a project has been selected.
      Project configuration override
  • Save the Project-level configurations and repeat for all other projects as desired.