Bring your own static scan
learn how to integrate static scan tools to kyndryl modern operations – devops intelligence secure dashboard represents vulnerability details for static scan, license compliance, dependency check & container vulnerability scan with bring your own static scan apis, vulnerability scan information is transmitted to every time a piece of code violates a coding guideline, tools like sonarquebe highlight a problem each issue has one of five severity levels blocker , critical , high , major , minor and info allows users to provide a list of vulnerabilities, generate metrics based on these vulnerabilities and display severity ratings based on the parameters listed below a = 0 vulnerabilities b = at least 1 minor vulnerability c = at least 1 major vulnerability d = at least 1 critical vulnerability e = at least 1 blocker vulnerability note secure functionality is applicable only for premium plan in bringing aata into to bring your own build tools complete the following steps go to the tools configuration page and navigate to the tokens tab click on create token and give a unique token name select token type as build, then click on the create button a new entry will be added to the table in the table entry click on the vertical ellipsis icon on the respective row and select the view/regenerate token option copy that token by clicking copy icon in the token field note to post data to the apis mentioned below, add the service token (see create service token ) to the authorization header of the request see curl example for reference format step 1 token {the service token from step1} example token 74h5cr8setsjrvofkdbsisy3lsgfngu v5anur4pxu1jh8kp0nqbjhuwqsrmgztx step 2 api reference api technical services/static scan url https //{devops intelligence host}/dash/api/build/v3/technical services/staticscan parameters parameter type explanation example value authorization header authorization has a service token 74h5cr8setsjrvofkdbsisy3lsgfngu v5anur4pxu1jh8kp0nqbjhuwqsrmgztx vulscan body scan data in json { "endpoint hostname" "string", "provider href" "string", "scannedby" "string", "scanned time" "string", "technical service" "string", "technical service tag" { "additionalprop1" "string", "additionalprop2" "string", "additionalprop3" "string" }, "technicalserviceoverride" true, "vulnerabilities" \[ { "actions" \[ "string" ], "attr" { "jira issue key" "string" }, "author" "string", "closedate" "string", "comments" \[ { "createdat" "string", "htmltext" "string", "key" "string", "login" "string", "markdown" "string", "updatable" true } ], "component" "string", "creationdate" "string", "debt" "string", "effort" "string", "hash" "string", "key" "string", "line" 0, "message" "string", "project" "string", "resolution" "string", "rule" "string", "severity" "string", "status" "string", "tags" \[ "string" ], "textrange" { "endline" 0, "endoffset" 0, "startline" 0, "startoffset" 0 }, "transitions" \[ "string" ], "type" "string", "updatedate" "string" } ], "vulnerability density" 0 } url example request curl x 'post' \\ 'dash/api/dev secops/v3/technical services/static scan' \\ h 'accept application/json' \\ h 'authorization token ajzv1zn g xmerycnrhx1uzugypzzwvbk bcrdazors6xziunthflnolc0strzol' \\ h 'content type application/json' \\ d '{ "endpoint hostname" "123", "provider href" "http //mytest com", "scannedby" "byo", "scanned time" "2022 12 05t07 20 50 52z", "technical service" "myservice", "technical service tag" { "additionalprop1" "string", "additionalprop2" "string", "additionalprop3" "string" }, "technicalserviceoverride" true, "vulnerabilities" \[ { "actions" \[ "string" ], "attr" { "jira issue key" "string" }, "author" "string", "closedate" "string", "comments" \[ { "createdat" "string", "htmltext" "string", "key" "string", "login" "string", "markdown" "string", "updatable" true } ], "component" "string", "creationdate" "string", "debt" "string", "effort" "string", "hash" "string", "key" "newkey", "line" 0, "message" "string", "project" "string", "resolution" "string", "rule" "string", "severity" "critical", "status" "open", "tags" \[ "string" ], "textrange" { "endline" 0, "endoffset" 0, "startline" 0, "startoffset" 0 }, "transitions" \[ "string" ], "type" "string", "updatedate" "string" } ], "vulnerability density" 0 }' response 200 "total number of records inserted successfully is 1" secure static scan vulnerability request body explained field data type explanation example value endpoint hostname string name of the endpoints "myorg/myrepo" provider href string provider url on which vulnerability is scanned "http //mytest com scannedby string tool which is used to scan the vunerabilities of the repositories "byo", scanned time string time of the scan in utc "2022 12 05t07 20 50 52z" technical service technicalserviceoverride boolean override flag for the service true vulnerabilities details of the fields key string value of the key "new key" severity string severity of vulnerability critical, high, low, medium component string name of the component "/var/lib/comp" project string name of the project "di secops" rule string rule name unused variable line int32 line number 124 hash string hash value d94d76ad5f5cecd413e resolution string reason of remediation resolved status string status of the vulnerability open, confirmed, reopend message string details of the vulnerability "this is created for byo" effort string time taken to resolve 30 min debt string author string name of the author alice tags \[]string tages for the vulnerability unused creationdate string date of creation "2022 12 05t07 20 50 52z" updatedate string date of update "2022 12 05t07 20 50 52z" closedate string date of close "2022 12 05t07 20 50 52z" type string type of vulnerability internal textrange string range of texts comments string comments on the vulnerability "created for the internal services" attr \[]string attributes transitions string transitions actions string actions taken