- We are using Debricked as a stage in our Azure Devops Pipeline.
We have been forced to actually disable it’s capacity to fail the pipeline as it does that too much.
What we really want is for it to fail if and only if
A CVE is found of certain level
AND there do exist a remedy for it that we can fix.
Stopping on CVE that has no fix makes no sense, imho.
Do not break on found CVE lacking remedy
- We have set an Automation where we say: "If
CVSS
is at leastHigh
thenflag as vulnerable
" - From the Repositories view we click on a specific repo and then in there we filter it by review status =
Vulnerable
- Then we need to go one by one in each vulnerabilities to check if there is a fix version available. If not, we select “Pause until a fix is available” under “Pause rule triggering” in the Action section. Then, in the opening dialog, we choose an appropriate max pause time in the dropdown. Click “Save” to confirm your selection and pause automation rules for the vulnerability.
Hope this helps. I think it is a great idea if this process could be more automated. Maybe you can submit an Idea?
Ok
thanks for the input, it seems a tad to manual for us, and i really hope we can get an “upvote” for this feature, i really think everyone would benefit from it.
Thanks again for the great advice!
Gerry
Cheers!
Reply
Create an account
You can create an account below using either single sign-on or a username/password. Already have an account? Log in
Enter your username or e-mail address. We'll send you an e-mail with instructions to reset your password.