<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom"><channel><title>Security on Software Factory</title><link>/tags/security/</link><description>Recent content in Security on Software Factory</description><generator>Hugo</generator><language>en</language><atom:link href="/tags/security/index.xml" rel="self" type="application/rss+xml"/><item><title>JFrog Xray Vulnerability Scan</title><link>/use/howto/secure/jfrog-xray-vulnerabilties/</link><pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate><guid>/use/howto/secure/jfrog-xray-vulnerabilties/</guid><description>&lt;h2 id="overview"&gt;Overview&lt;a class="td-heading-self-link" href="#overview" aria-label="Heading self-link"&gt;&lt;/a&gt;&lt;/h2&gt;
&lt;p&gt;Xray detects known &lt;a href="/use/practices/secure/software-composition-analysis/vulnerability/"&gt;vulnerabilities&lt;/a&gt;
 (CVEs) in the components of your repositories, builds
and release bundles.&lt;/p&gt;
&lt;p&gt;It identifies each component, maps it to known vulnerabilities from public and proprietary sources
and lets you enforce security policies using &lt;strong&gt;policies&lt;/strong&gt; and &lt;strong&gt;watches&lt;/strong&gt; mechanism.&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;For background on how Xray works, see &lt;a href="/use/tools/xray/"&gt;Xray Page&lt;/a&gt;
.&lt;/li&gt;
&lt;li&gt;For license compliance, see &lt;a href="/use/tools/xray/#license-compliance"&gt;Xray License Scanning&lt;/a&gt;
.&lt;/li&gt;
&lt;/ul&gt;
&lt;h2 id="prerequisites"&gt;Prerequisites&lt;a class="td-heading-self-link" href="#prerequisites" aria-label="Heading self-link"&gt;&lt;/a&gt;&lt;/h2&gt;
&lt;p&gt;Before you start, make sure you have:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Access to a JFrog Platform instance with &lt;strong&gt;Xray&lt;/strong&gt; enabled&lt;/li&gt;
&lt;li&gt;A dedicated &lt;strong&gt;Project&lt;/strong&gt;.&lt;/li&gt;
&lt;li&gt;A role with &lt;strong&gt;Manage Xray Data&lt;/strong&gt;, &lt;strong&gt;Manage Watches &amp;amp; Policies&lt;/strong&gt; and &lt;strong&gt;Manage Reports&lt;/strong&gt; permission
within that project.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;JFrog CLI&lt;/strong&gt; installed and configured&lt;/li&gt;
&lt;/ul&gt;
&lt;h2 id="create-a-vulnerability-policy"&gt;Create a vulnerability policy&lt;a class="td-heading-self-link" href="#create-a-vulnerability-policy" aria-label="Heading self-link"&gt;&lt;/a&gt;&lt;/h2&gt;
&lt;p&gt;A policy defines what counts as a violation and what action Xray takes when one is found.&lt;/p&gt;</description></item><item><title>Secrets, Tokens and Credentials in SonarQube</title><link>/use/tools/sonarqube/secrets/</link><pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate><guid>/use/tools/sonarqube/secrets/</guid><description>&lt;p&gt;This document lists all secrets, tokens and credentials that can be configured and managed by a
&lt;strong&gt;non-administrator&lt;/strong&gt; user in SonarQube.&lt;/p&gt;
&lt;p&gt;For each item, a concise explanation of its usage and a link to the official documentation are
provided.&lt;/p&gt;
&lt;table&gt;
 &lt;thead&gt;
 &lt;tr&gt;
 &lt;th&gt;Type&lt;/th&gt;
 &lt;th&gt;Description&lt;/th&gt;
 &lt;th&gt;Details&lt;/th&gt;
 &lt;/tr&gt;
 &lt;/thead&gt;
 &lt;tbody&gt;
 &lt;tr&gt;
 &lt;td&gt;&lt;strong&gt;User Token&lt;/strong&gt;&lt;/td&gt;
 &lt;td&gt;Full user-level authentication token, inherits all user permissions&lt;/td&gt;
 &lt;td&gt;&lt;a href="/use/tools/sonarqube/secrets/#user-token"&gt;User Token&lt;/a&gt;
&lt;/td&gt;
 &lt;/tr&gt;
 &lt;tr&gt;
 &lt;td&gt;&lt;strong&gt;Project Analysis Token&lt;/strong&gt;&lt;/td&gt;
 &lt;td&gt;Scoped token for running analyses on a single project&lt;/td&gt;
 &lt;td&gt;&lt;a href="/use/tools/sonarqube/secrets/#project-analysis-token"&gt;Project Analysis Token&lt;/a&gt;
&lt;/td&gt;
 &lt;/tr&gt;
 &lt;tr&gt;
 &lt;td&gt;&lt;strong&gt;Global Analysis Token&lt;/strong&gt;&lt;/td&gt;
 &lt;td&gt;Token for running analyses on all projects in the instance&lt;/td&gt;
 &lt;td&gt;&lt;a href="/use/tools/sonarqube/secrets/#global-analysis-token"&gt;Global Analysis Token&lt;/a&gt;
&lt;/td&gt;
 &lt;/tr&gt;
 &lt;tr&gt;
 &lt;td&gt;&lt;strong&gt;Webhook Secret&lt;/strong&gt;&lt;/td&gt;
 &lt;td&gt;HMAC-SHA256 secret to verify authenticity of webhook payloads&lt;/td&gt;
 &lt;td&gt;&lt;a href="/use/tools/sonarqube/secrets/#webhook-secret"&gt;Webhook Secret&lt;/a&gt;
&lt;/td&gt;
 &lt;/tr&gt;
 &lt;tr&gt;
 &lt;td&gt;&lt;strong&gt;Project Badge Token&lt;/strong&gt;&lt;/td&gt;
 &lt;td&gt;Auto-generated token for displaying project metrics badges&lt;/td&gt;
 &lt;td&gt;&lt;a href="/use/tools/sonarqube/secrets/#project-badge-token"&gt;Project Badge Token&lt;/a&gt;
&lt;/td&gt;
 &lt;/tr&gt;
 &lt;tr&gt;
 &lt;td&gt;&lt;strong&gt;DevOps Platform PAT&lt;/strong&gt;&lt;/td&gt;
 &lt;td&gt;GitLab PAT for project import and Merge Request decoration&lt;/td&gt;
 &lt;td&gt;&lt;a href="/use/tools/sonarqube/secrets/#devops-platform-integration---personal-access-token-pat"&gt;DevOps Platform Integration&lt;/a&gt;
&lt;/td&gt;
 &lt;/tr&gt;
 &lt;tr&gt;
 &lt;td&gt;&lt;strong&gt;Login/Password&lt;/strong&gt; &lt;em&gt;(deprecated)&lt;/em&gt;&lt;/td&gt;
 &lt;td&gt;Legacy authentication method, replaced by tokens&lt;/td&gt;
 &lt;td&gt;&lt;a href="/use/tools/sonarqube/secrets/#loginpassword-authentication-deprecated"&gt;Login/Password&lt;/a&gt;
&lt;/td&gt;
 &lt;/tr&gt;
 &lt;/tbody&gt;
&lt;/table&gt;
&lt;h2 id="user-token"&gt;User Token&lt;a class="td-heading-self-link" href="#user-token" aria-label="Heading self-link"&gt;&lt;/a&gt;&lt;/h2&gt;
&lt;h3 id="description"&gt;Description&lt;a class="td-heading-self-link" href="#description" aria-label="Heading self-link"&gt;&lt;/a&gt;&lt;/h3&gt;
&lt;p&gt;Authentication token that allows a user to perform all actions the user can do via the web
interface, without using their actual credentials (login/password).&lt;/p&gt;</description></item><item><title>Secure your Repository</title><link>/use/practices/secure/secure-your-repository/</link><pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate><guid>/use/practices/secure/secure-your-repository/</guid><description>&lt;p&gt;Securing your repository is essential to maintain the integrity and confidentiality of your code base.
This guide covers the practices for implementing robust access controls, enforcing branch protection,
securing secrets, and using groups efficiently within GitLab.&lt;/p&gt;
&lt;h2 id="implement-access-controls"&gt;Implement Access Controls&lt;a class="td-heading-self-link" href="#implement-access-controls" aria-label="Heading self-link"&gt;&lt;/a&gt;&lt;/h2&gt;
&lt;p&gt;Establishing strong access controls is fundamental for repository security.&lt;/p&gt;
&lt;p&gt;Properly configured permissions ensure only authorized individuals can perform sensitive actions
like pushing code, merging changes, or altering project settings.&lt;/p&gt;</description></item></channel></rss>