GithubHelp home page GithubHelp logo

isabella232 / iq-scm-audit Goto Github PK

View Code? Open in Web Editor NEW

This project forked from sonatype-nexus-community/iq-scm-audit

0.0 0.0 0.0 21.51 MB

Tool to configure and audit Nexus IQ applications from GitHub repositories

License: Other

Go 100.00%

iq-scm-audit's Introduction

IQ SCM Audit

Overview

This tool will take a GitHub graphql repository search query to fetch a list of GitHub source code repositories and for each repository:

  • Create an IQ Application
  • Configure IQ Application against source control
  • Scan GitHub reported dependencies against IQ Application using third party data API
  • Download and evaluate policy against latest GitHub release assets
  • Download and evaluate policy against latest GitHub Packages assets
  • Create GitHub Issue in repository with results and hints on how to configure CI tools

Setup

GitHub Token

The tool requires a GitHub Personal Access Token to interact with the GitHub repositories. This token requires the repo scope and the read:packages scope.

Nexus IQ CLI

The tool requires that nexus-iq-cli-1.78.0-02.jar be available in ./iq/nexus-iq-cli-1.78.0-02.jar relative to the tool binary. This can be achieved by cloning this source control repository and either building the binary or uncompressing the release in the root of the repository or downloading the jar and copying it into an iq directory relative to the location of the binary.

Best Results

IQ SCM Audit works best when:

  • The GitHub repositories' Dependency Graphs are enabled.
  • The GitHub repositories have at least one Release or Package with evaluatable assets.
  • The JVM is installed to run a policy evaluation using the CLI. Note that if the JVM is not installed you must set skipIQEvaluations to true and there is no need to have a GitHub Release or Package.

Usage

Usage:
iq-scm-audit [options]
  -gitHubQuery string
    	Query String for GitHub graphql repository search (GITHUB_QUERY)
  -gitHubToken string
    	GitHub Token (GITHUB_TOKEN)
  -iqOrganization string
    	Organization to create new applications (IQ_ORGANIZATION)
  -iqPassword string
    	Nexus IQ Password (IQ_PASSWORD)
  -iqServerUrl string
    	Nexus IQ Server Url (IQ_SERVER_URL)
  -iqUsername string
    	Nexus IQ Username (IQ_USERNAME)
  -iqcontact string
    	Email of person to contact for access to Nexus IQ (IQ_CONTACT)
  -skipExistingApplications
    	Skip Audit and Evaluation against existing applications
  -skipIQEvaluations
    	Skip IQ Evaluations against latest Release or Package assets
  -skipIssueCreation
    	Skip GitHub Issue Creation

Example Queries

Queries can be formed to search for organizations:

org:whyjustin

or particular repositories:

whyjustin/spring-hello-webmvc

iq-scm-audit's People

Contributors

whyjustin avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.