Comprehensive Guide to Lifecycle Scanning

IQ Server | Reading time: 6 minutes

Is this article helpful?

Welcome! We are moving the content of this guide to the Analysis section of the help docs. You will find the most up to date information there. We are always looking for feedback on best pratices for scanning. Let us know on the community.

IQ Server Integrations

There are several methods for integrating Nexus IQ Server into your software development lifecycle. For further information on any of these topics, please see our IQ Server for Developers guide.

Command Line Interface

The most unobtrusive, and non-tool specific, approach is to use the command line version of the Application Evaluation Tool – commonly referred to as the Nexus IQ CLI. Any application can be evaluated against your policies simply by using the CLI. This includes adding a build step in your CI server and processing a simple shell script during the building of your application.

For more information on the CLI, please see our help topics on the Nexus IQ CLI.

Continuous Integration Plugins

Nexus IQ Server analyzes components used in your software development for security and license characteristics. When integrated with a continuous integration server, this becomes a dynamic analysis performed on a regular basis—occurring potentially with each build running on the server.

Maven Plugin

Our Maven plugin lets you evaluate any Maven-based software project. The plugin can run on a command line interface and can therefore be executed on any continuous integration server, as well as a number of popular IDEs.

For more information, see our IQ for Maven help topic.

Jenkins

The Nexus Platform Plugin for Jenkins integrates via Jenkins Pipeline or Project steps with Sonatype Nexus IQ Server. You can use the plugin to perform an IQ Server policy evaluation against files in a Jenkins workspace.

For more information, see our Jenkins Platform Plugin help topic.

Azure DevOps

The Nexus IQ Extension for Azure DevOps places open source governance policies within the CI phase. As a new step within your build, applications are scanned by Nexus IQ to identify any open source security, license, or quality policy violations. When the scan is complete, results are displayed within Azure DevOps with a link to the Nexus Lifecycle policy report that contains violation details and expert remediation guidance.

For more information, please see our Nexus IQ for Azure DevOps help topic.

Gitlab CI

The GitLab Nexus IQ Docker image provides the ability to run Nexus policy evaluation against build artifacts in GitLab and produce a summary report with policy violation counts and a link to a detailed report on the IQ server. In addition, Nexus IQ for GitLab can assist with remediation of identified vulnerabilities using the IQ for Source Control Management features.

For more information, please see our Nexus IQ for GitLab CI help topic.

Bamboo

The Bamboo plugin lets you evaluate applications with the IQ Server and provides a summary of the results on the Job Summary page. In addition to counts for each of these categories, a status for the success of the evaluation is provided, as well as a link to the summary report located on your IQ Server.

For more information, see our Nexus IQ for Bamboo help topic.

Nexus Repository Manager

The integration between Nexus Repository Manager and IQ Server provides access to detailed Repository Results identifying components that represent potential risk to the components and applications your teams are developing.

IQ for Nexus Repository Manager allows you to integrate IQ Server’s policy management and component intelligence features with proxy repositories in Nexus Repository Manager Pro. By proxying external repositories, as well as providing a deployment target for internal components, a repository manager becomes the central and authoritative storage platform for all components. This allows you to control which components get into your products from external sources as well as examine, and keep track of, artifacts produced by your build systems.

For more information, please see our IQ Server and Repository Management help topic.

IDEs & Dev Tools

Nexus IQ Server integrations for Integrated Development Environments (IDEs) provide development teams with direct access to Sonatype’s comprehensive component intelligence. Developers can quickly vet components used in an application against their organization’s open source policies, greatly reducing time wasted with complicated and exhaustive research.

Eclipse

The Sonatype Eclipse plugin lets you analyze components used by your software development project and take action to resolve any issues you discover. For more information, please see our Eclipse help documentation.

IDEA

IQ for IDEA provides component analysis for both the Community and Ultimate edition of IntelliJ IDEA. For more information, go to our IDEA help topic.

Visual Studio

IQ for Visual Studio provides component analysis for the Community, Professional and Enterprise versions of Visual Studio. The plugin can be installed from within Visual Studio using the Extensions manager or via the Microsoft Visual Studio Marketplace. For more information, see our Visual Studio help topic.

VS Code

The Sonatype Community has built a VS Code extension allows you to surface and remediate issues in your project’s dependencies within your development environment. The extension allows you to view violations across multiple ecosystems. Find the project in Github or the Visual Studio Marketplace for details.

Community Tools & Applications

OSS Index is an open source community service that aggregates security data from trusted sources like the Common Vulnerabilities and Exposures (CVE) list.

OSS Index provides comprehensive ecosystem support, and makes it easy to get started incorporating security data into your favorite toolchain and workflow thanks to a growing list of community integrations. The following open source scanning tools are officially supported by Sonatype, and can be used with or without a Lifecycle license:

  • Nancy logo Nancy scans Golang projects for vulnerable third party dependencies.
  • Chelsea logo Chelsea is a CLI application that scans RubyGem projects for vulnerable third party dependencies.
  • Jake logo Jake scans Python and Conda environments for vulnerable third-party dependencies.
  • AuditJS logo AuditJS scans JavaScript projects for vulnerable third party dependencies.
  • The Nexus IQ Chrome Extension lets you inspect a package before you download it. The plugin requires a valid Sonatype Nexus Lifecycle license. Once installed, it can scan packages from multiple repositories.

Running Scans

Visit the analysis page for each ecosystem for up-to-date information on the langauage or format.

Java logo Java

.net logo .NET

JS logo JavaScript

Python logo Python

Go logo Go

Ruby logo Ruby

yum logo YUM

PHP logo PHP

C+ logo C / C++

Rust logo Rust

Swift logo Swift/Objective-C

R logo R (CRAN)

Android logo Android

Clair logo Clair

CycloneDX logo CycloneDx

Talk to Us

Have more questions or comments? Learn more at help.sonatype.com, join us in the Sonatype Community, and view our course catalog at learn.sonatype.com.

And visit my.sonatype.com for all things Sonatype.