T he ZeroNorth platform orchestrate scans with Sonatype Nexus IQ Lifecycle to help identify open-source security risks.
- ZeroNorth platform license and credentials
- Valid credentials for the Sonatype NexusIQ Lifecycle scanning server/service
To activate the “Sonatype” Scenario, refer to the article Activate Scenario - Sonatype NexusIQ Lifecycle .
If you already have an Integration added with the Integration Type as “Artifact”, you can use the existing Integration for Sonatype. Otherwise, create a new Integration as follows:
- Go to zn ADM > Integrations .
- Click +Add Integration button on the top right of the screen.
- Set Initial Scans From as desired (see the related article Add an Integration (with GitHub example) for examples).
- Select Type as “Artifact”.
- Click Create Integration.
Next, add a Target to the Integration:
- Go to znOPS > Targets .
- Click +Add Target button on the top right of the screen.
- Select the “Artifact” type Integration from above.
- Click Save .
- Go to znOPS > Policies .
- Click on the +Add Policy button on the bottom right of the screen.
- Enter the Name and optionally a Description .
- Select the previously created Integration and Target.
- Select the “Sonatype” Scenario that was previously activated.
- For Policy Type and related fields:
- For a standard orchestrated scan with your Sonatype server, select “Orchestrated Scan” for Policy Type and enter a Product Name . The specified product name must not already exist in the Sonatype server.
- To import existing Sonatype scan results from your Sonatype server into ZeroNorth account, set Policy Type as “Data Load” and Application Lookup Strategy as “Discover Existing Applications”. Select the application from the resulting list. You can also discover the application by Public/Private ID.
- Click Save to create a new policy.
As with most ZeroNorth scan Policies for Artifact type Targets, the scan is typically initiated from the CI/CD environment via one one of the following approaches: