Dependency Scanner is a connector which perform SCA on your code repositories.
In order to perform SCA on all your Github Repositories, you need to configure your Github credentials first. More about how to setup your Github credentials here. Once you have configured your credentials, the following are the steps that need to be followed:
- Navigate to 'Dependency Scanner' under 'Static Security Scanners' in the connectors page.
- Click on 'Add Workflow'.
- In the first step, you will be prompted to enter your 'Configuration Name' and select the 'Baseline' to log your vulnerabilities. If you select the baseline as 'Strict' then vulnerabilities of all severities will be logged and if you select the baseline as 'High' then vulnerabilities of only 'Critical' and 'High' severities will be logged.
NOTE: You cannot provide the same configuration name more than once.
- In the second step, select the 'Version Control System' option as 'Github'.
- Select your Github Credential.
- Now choose the repositories for which you want to setup Dependency Scanner configuration.
NOTE: By default all the repositories will be selected.
- Select the agent as 'Strobes Default Agent'.
- Select whether you want to enable 'Smart Close' vulnerabilities or not. More about smart close here.
- Select the frequency at which you want to run the Dependency Scanner scan on your repositories.
- In the third step you can choose any Tracking & Notification tool configurations if needed and click on Submit.
- A configuration has now been created for you.
- Click on 'New Scan' to perform an SCA on your repositories. When you click on 'New Scan' you will be prompted to enter the 'Branch' name. If you do not provide any branch name, then the scans will be run on the default branch.