Skip to main content

VCS Hostings

VCS hosting integration lets you automatically scan your projects from VCS hostings on schedule, or when specific events are triggered. The system supports integration with GitHub, GitLab and Bitbucket and operates via webhook.

Please notice that for the integration to function properly, it is essential that external API accessibility is configured beforehand. Instructions for configuring external API accessibility are provided in the Administrator’s Guide.

In order to create integration, you need to configure it in DerScanner and in the hosting. Webhook is a notification mechanism for users about events in the hosting. Hostings can notify users of different events depending on the hosting. DerScanner supports Push-events and Tag-events. For more information on webhooks and how to set them up, see hostings documentation: GitHub, GitLab, and Bitbucket.

To configure an integration with VCS hosting:

  1. In the side menu of the selected project, select the Autoscan tab (Settings -> Autoscan).

  2. Select app source code location (VCS hosting) and a specific hosting for integration.

  3. Once you have selected the VCS hosting, you can copy the link for webhook and integration token. The integration token is only required for GitHub and GitLab. Copy and use the link for webhook and integration token when configuring webhook in the VCS hosting.

  4. Select the event that will trigger a scan: push to the branch (push-event) and/or tag creation (tag-event). You can combine it with scanning on schedule or use separately.

  5. In case of a push-event, you can specify branches. Push into these branches will initiate scanning. In case of tag-events, you can specify tags whose creation will start a scan. For Gitlab and Bitbucket, setting up a webhook for push-events will as well provide the functionality to start a DerScanner analysis upon tag-events. Unless the analysis initiation upon tag-events is needed, switch off the Tag creation switch in the integration settings in the DerScanner interface. The values in Branch and Tag fields are specified in the regular expression format. By default, the system will process all requests of the selected event type.

  6. In case of scanning on schedule, activate the respective toggle switch and set up a schedule as a Quartz cron expression.

  7. To save the integration, press Save.

Important to pay attention:

  • If the user who created the integration is deleted from the DerScanner system, the integration will not work. To continue the workability of the integration, you should create it anew.

  • The machine on which DerScanner is installed must have access to the integrated repository. In case of a private repository, you need to specify credentials to access the repository. You can do this in the project settings on the General tab (project side menu -> Settings -> General).

  • A list of file extensions that can be analyzed when uploading a project from repository can be found in the appendix (tbl. 11.1).