IBM logo

IBM adds code risk analyser to cloud-based CI/CD

IBM Cloud Continuous Delivery’s Code Risk Analyzer scans Python, Node.js, and Java source code in Git repositories for security and legal risks
Pro
Image: IDGNS

4 November 2020

Looking to bring security and compliance analytics to devops, IBM has added its Code Risk Analyzer capability to its IBM Cloud Continuous Delivery service.

Code Risk Analyzer is described by IBM as a security measure that can be configured to run at the start of a developer’s code pipeline, analysing and reviewing Git repositories to discover issues with open source code. The goal is to help application teams recognize cybersecurity threats, prioritise application security problems, and resolve security issues. IBM Cloud Continuous Delivery helps provision toolchains, automate tests and builds, and control software quality with analytics.

IBM said that as cloud-native development practices such as microservices and containers change security and compliance processes, it is no longer feasible for centralised operations teams to manage application security and compliance. Developers need cloud-native capabilities such as Code Risk Analyzer to embed into existing workflows. Code Risk Analyzer helps developers ensure security and compliance in routine workflows.

In developing Code Risk Analyzer, IBM surveyed source artifacts used by IT organisations in building and deploying applications and in provisioning and configuring Kubernetes infrastructure and cloud services. Existing cloud solutions provide limited security controls across the source code spectrum including vulnerability scanning of application manifests. Thus it is necessary to design a solution that encompasses security and compliance assessment across artifacts.

Code Risk Analyzer scans Git-based source code repositories for Python, Node.js, and Java code and performs vulnerability checks, license management checks, and CIS (Center for Internet Security) compliance checks on deployment configurations and generating a ‘bill of materials’ for all dependencies and their sources. Terraform files used to provision cloud services such as Cloud Object Store are scanned to find any security misconfigurations. 

IBM sought to anchor security controls in standards such as NIST or CIS and to flatten the learning curve while introducing users to new security practices. Developers are shielded from having to understand security definitions and policies, with actionable feedback provided.

IDG News Service


Professional Development for IT professionals

The mission of the Irish Computer Society is to advance, promote and represent the interests of ICT professionals in Ireland. Membership of the ICS typically reduces courses by 20%. Find out more


Read More:


Back to Top ↑

TechCentral.ie