Managing multiple projects in one repository

  • 14 April 2023
  • 1 reply

As far as I can tell, projects and repositories are used pretty much interchangeably throughout most of the documentation. We develop a .NET micro services SaaS application and for simplicity’s sake, we have one repository for all of our backend services (projects are located in a sub path .\solution of the repo and referring scripts in a sub path .\build_scripts of the repo during CI).

Is there a way in Debricked to properly manage multiple projects within a single repository that I haven’t discovered yet? Scanning the repository finds all the dependencies and vulnerabilities of all projects, however exporting an SBOM for said repository results in an empty file (except for basic structure) and the “Overview” shows 0 vulnerabilities even though there are several.


Best answer by Benedita 17 April 2023, 10:25

View original

1 reply

Userlevel 4

Hi @fgraf-ecocoach, that is a great question. We are aware we do not have a straightforward solution for this problem and we do have an opportunity for improvement here :). Nonetheless, our recommendation to work for the scenario described above is something along the lines of:

  1. Identify what directory the project lives in. For example, it could be "backend-1/"
  2. Make sure to install Debricked CLI in the CI,
  3. Identify condition as to when a Debricked scan should be made, perhaps only when "backend-1/" has changes. When the condition is fulfilled, run Debricked CLI debricked scan -t <token> backend-1/.
  4. If 3. gives you errors, you probably are not using one of our officially supported integrations. Hence you have to specify some flags yourself to get the scan to work. -a, -b, -c, -i,  -r, -u to be specific.
-a, --author string commit author
-b, --branch string branch name
-c, --commit string commit hash
-e, --exclusion stringArray The following terms are supported to exclude paths:
Special Terms | Meaning
------------- | -------
"*" | matches any sequence of non-Separator characters
"/**/" | matches zero or multiple directories
"?" | matches any single non-Separator character
"[class]" | matches any single non-Separator character against a class of characters ([see "character classes"])
"{alt1,...}" | matches a sequence of characters if one of the comma-separated alternatives matches

$ debricked scan . -e "*/**.lock" -e "**/node_modules/**" (default [**/node_modules/**,**/vendor/**,**/.git/**])
-h, --help help for scan
-i, --integration string name of integration used to trigger scan. For example "GitHub Actions" (default "CLI")
-p, --pass-on-timeout pass scan if there is a service access timeout
-r, --repository string repository name
-u, --repository-url string repository URL



Please note that if another project is to be added in the same repository, all 4 steps will need to be revisited again.

 Let me know if this helps and/or if you have any follow up questions.