Skip to main content

Automated pull requests feature on SCM, and configuring it on IQ.

Updated

Overview

Automated Pull Requests is a feature of Sonatype Lifecycle that automatically creates pull requests (PRs) on SCM to update dependencies to versions without policy violations.

When a scan of your SCM repository's default branch finds a component with a policy violation that hasn't been identified before, and a newer version without the violation is available, Lifecycle will create a PR to update the component to that newer version. 

The automated pull requests will include
  • Details of the vulnerability
  • A link to full Lifecycle report
  • Suggested changes to update the affected component

Supported platforms/formats and the prerequisites for Automated pull request are explained in below document. 

https://help.sonatype.com/en/automated-pull-requests.html

From release 183, Automated Pull Requests now include "Golden PR" functionality, which recommends upgrading to "Golden Versions" when available. A Golden Version: 

  • Remediates all policy violations for both the component AND its dependencies
  • Contains no breaking changes

Getting Started

Automated pull request is triggered in multiple scenarios like SCM onboarding(Instant risk profile and Continuous risk profile) or policy evaluation on default branch with related CI/CLI integration.

For ex: let's consider SCM onboarding.

  1. Create an organization and configure source control with correct SCM access token with relevant permissions as documented and enable "Automated Remediation Pull Requests"
  2. Import applications using SCM onboarding
  3. Lifecycle will scan the default branch(ex: main/master) for each application created through Easy SCM Onboarding. The results from that scan are your Instant Risk Profile
  4. If there is any manifest file like pom.xml/package.json etc which report a component with violations and a safe recommended version is available, lifecycle creates a remediation pull request on the default branch to bump the component version to recommended version.

   

Daily automated pull request can be tracked in Source control configuration overview, which displays the recent activity(24hrs) and also the status of the PR creation.

 

Lifecycle will track the policy violations introduced by newly introduced components in commits or pull requests to the default branch configured, and creates remediation pull request to bump component version.

 

Note: Auto PR's are only created for new violations on default branch. 

Related articles