How do I use Start Left Policies?

  • 17 January 2023
  • 0 replies
  • 153 views

Keep in mind that the Start Left feature is only available for enterprise users. 

 

You can use your automation policies to evaluate new packages in Open Source Select. If you are looking for a new package in Select, you can check whether or not it will trigger an automation rule using Start Left Policies. 

 

How do I evaluate license issues using Start Left Policies? An example:

  1. Create an automation rule to evaluate the licenses family, e.g. “If there is a dependency which is licensed under a strong copyleft license then fail pipeline”
  2. Go to Open Source Select and search for a desired package
  3. After searching for the `node-forge` package, you can see that the pipeline would fail if this package is included, as it is licensed under `GLP-2.0-only` which belongs to the "strong copyleft" licenses family.

cjcm_nzgq5SInRPH8ea58p_8lyoHuMyZVY2Rqs3GoqyB9NlqdHEsAfeTgqNkpulDCeL4yORVBmOnoDwO_QAtrPtziyy7G5t9IIc-_gY0U4QZghz34x1vyZKqN8XC3Zt37dQxjU6dNPC77p0n-SSFedTRYN-IC3oOsA3_IF8TyRVUlEA8umvP_NcpGvWt



 

How do I evaluate security risk packages using Start Left Policies? An example:

  1. Create an automation rule to evaluate the check the CVSS, e.g. “If a dependency contains a vulnerability which has not been marked as unaffected where CVSS is at least medium (4.0-6.9)”
  2. Go to Open Source Select and search for a desired package
  3. After searching for the `angularjs` package, you can see that our pipeline would trigger a warning if we included this package, due to CVE-2017-16009

LKMveHWb9Ft67zmDwNvgdTt2YuxQt43sbDCCqxyzeRlG5Bl9gPZjTYCByMJEtkJprVxf7asKflDJlv--ohiWO8vGcBZ1ezrL7UwtEheTHjiPKccgKQbLTGbgktxTqB8WfXJJkXUEkZKzmXgA5MkYhlO8MfkmVYedxMzhP-pmokSLZQ9nbJT-WgZnUozT



Choosing open source components with Debricked's Open Source Select & Start Left - video guide

 


0 replies

Be the first to reply!

Reply