Developers Gain Contextual Feedback with Automated Pull Request Commenting

by Kevin Miller on March 31, 2020

At Sonatype, we work continuously to increase awareness of open source risk, and decrease the time it takes you to make your applications safe. It is our never ending quest to shift security left. We’ve rolled out even more granular and automated policy feedback with pull request comments directly in GitHub.

Developers need to know where potential policy violations or security vulnerabilities are introduced so that they can address and fix the issues efficiently and effectively. This reduces time to remediation and minimizes manual work. Our new PR commenting feature for GitHub notifies a developer when the code they commit introduces risk or breaks a build, and why. When you run a policy evaluation on the branch you are working on, we’ll automatically leave feedback with contextual comments on vulnerabilities that were introduced in that specific branch. By being notified if and where violations were introduced, we enable you to react faster and decrease risk to your organization.

Why SCM Integrations?

Source control management systems, like GitHub, GitLab, and Bitbucket, are often the first place where a piece of code gets shared and reviewed. At Sonatype, we enable developers to push quality control of their application into their SCM tools, and run evaluations against policy configurations in Nexus Lifecycle. The results help developers choose the best components that comply with company policies and are the safest.

Any time a new package or component is brought into the code, multiple new dependencies may be introduced — even hundreds, depending on the component selected. Given the speed of development, sheer number of dependencies and possible vulnerabilities, there is an increased need for automation and immediate feedback.