AWS Lambda which uses your Sonatype Nexus IQ instance to capture GitHub Pull Requests and/or GitLab Merge Requests from your repos and adds inline comments with suggestions on versions to upgrade your vulnerable open source components.
- Build and upload as AWS Lambda
- Add your webhook to your repo's config with the following payload URL:
<LAMBDA_API_GATEWAY_ENDPOINT>?iq_url=<IQ_SERVER_PORT>&iq_auth=<IQ_USER>:<IQ_PASS>&iq_app=<IQ_APP>&token=<ACCESS_TOKEN>
- go (go modules)
- Java (maven, gradle)
- C# / .net (nuget)
- Javascript / Typescript (npm)
- Ruby (rubygems)
https://github.com/HokieGeek/various-manifests/pull/49/files
https://gitlab.com/HokieGeek/various-manifests/merge_requests/5/diffs
It is worth noting that this is NOT SUPPORTED by Sonatype, and is a contribution of @HokieGeek plus us to the open source community (read: you!)
Remember:
- Use this contribution at the risk tolerance that you have
- Do NOT file Sonatype support tickets related to this
- DO file issues here on GitHub, so that the community can pitch in