IBM announced the availability of Code Risk Analyzer in your IBM Cloud Continuous Delivery service, a function for provide developers DevSecOps security and compliance analysis.
Code Risk Analyzer can be configured to run on startup from a developer's code pipeline and examines and parses the Git repositories looking for trouble known to any open source code that needs to be managed.
Helps provide toolchains, automate builds and tests, and allows users to control the quality of the software with analytics, according to the company.
The goal of the code analyzer is to allow application teams identify cybersecurity threats, prioritize security issues that can affect applications, and resolve security issues.
IBM's Steven Weaver said in a post:
“Reducing the risk of embedding vulnerabilities in your code is critical to successful development. As native open source, container, and cloud technologies become more common and important, moving monitoring and testing earlier in the development cycle can save time and money.
“Today, IBM is pleased to announce Code Risk Analyzer, a new feature of IBM Cloud Continuous Delivery. Developed in conjunction with IBM Research projects and customer feedback, Code Risk Analyzer enables developers like you to quickly assess and correct any legal and security risks that have potentially infiltrated your source code and provide feedback directly into your code. fountain. Git artifacts (for example, pull / merge requests). Code Risk Analyzer is provided as a set of Tekton tasks, which can be easily incorporated into your delivery channels. ”
Code Risk Analyzer provides the following functionality to scan source repositories based on IBM Cloud Continuous Delivery Git and Issue Tracking (GitHub) looking for known vulnerabilities.
Capabilities include discovering vulnerabilities in your application (Python, Node.js, Java) and the operating system stack (base image) based on Snyk's rich threat intelligence. and Clear, and provides remediation recommendations.
IBM has partnered with Snyk to integrate its coverage Comprehensive security software to help you automatically find, prioritize, and fix vulnerabilities in open source containers and dependencies early in your workflow.
The Snyk Intel Vulnerability Database is continually curated by an experienced Snyk security research team to enable teams to be optimally effective in containing open source security issues, while remaining focused on development.
Clair is an open source project for static analysis vulnerabilities in application containers. Because you scan images using static analysis, you can analyze images without having to run your container.
Code Risk Analyzer can detect configuration errors in your Kubernetes deployment files based on industry standards and community best practices.
Code Risk Analyzer generates a nomenclature (BoM) A representing all dependencies and their sources for applications. Also, the BoM-Diff function allows you to compare the differences in any dependencies with the base branches in the source code.
While previous solutions focused on running at the beginning of a developer's code pipeline, they have proven to be ineffective because container images have been shortened to where they contain the minimum payload required to run an application and the images have no the development context of an application.
For application artifacts, Code Risk Analyzer aims to provide vulnerability, license, and CIS checks on deployment configurations, generate BOMs, and perform security checks.
Terraform files (* .tf) used to provision or configure cloud services such as Cloud Object Store and LogDNA are also analyzed to identify security configuration errors.
Source: https://www.ibm.com