Post-Build Scan

Summary

Arnica provides real-time scanning capabilities, which fit the vast majority of use cases. However, certain software delivery environments have complex processes that may involve pulling internal packages/code from other repositories or building packages from source. To address this challenge, Arnica supports third-party package scanning via API, directly from software delivery automation, such as Build/CI/CD pipelines.

Configuring Post-Build Scan Policy

Policy configurations control the status returned to the automation script to determine the pass/fail status of the scan and create/update findings on the code risks page.

  1. Create a policy with the trigger "Code risk detected during an API initiated SBOM scan".

  2. Configure the conditions of each policy to match only the risks for which you would like to require a review. This can include restrictions on specific severity levels or any other condition available within Arnica. Example: Critical findings only + all SCA risks that can be resolved with version updates to the direct dependency.

  3. Action configurations are optional, such as creating an issue or sending an instant message.

Configuring Build/CI/CD pipelines

The Build/CI/CD pipeline needs to construct an SBOM that will be sent to the Start SBOM Scan API and then poll the Get SBOM Scan Status API until the scan is completed.

An SBOM can be constructed easily by running CDXGen on the folder with the built artifact. Arnica supports SBOMs created with CDXgen 11.x.

Authentication and authorization are required to call the API. Generate an access key in the Admin API page with the scopes sbom-api:read and sbom-api:write and set it as an environment variable in your pipeline.

To have the most accurate view of your code risks, configure the post-build scan for the following events:

  1. When a pull request is created or synced (more code is pushed to the source branch after the pull request is opened), so that gates can be visible or enforced prior to merge.

  2. When code is merged to your SLA branch (in most cases, this is the default branch), so that findings can be updated as "in production" on the code risks page.

Customers using GitHub Actions can use Arnica's Dependency Scan GitHub Action without the need to generate an SBOM or make API calls, as described above.

Last updated

Was this helpful?