Configuring Security and Compliance Center
You can use the IBM Cloud® Security and Compliance Center to embed security checks into your everyday workflows to monitor for security and compliance. By monitoring for risks, you can identify security vulnerabilities and quickly work to mitigate the impact and fix the issues.
Currently, you can use this tool integration only with toolchains that are created from the DevSecOps continuous delivery (CD) and continuous compliance (CC) templates. Before you configure a Security and Compliance Center tool integration, make sure that you have a Git repository (repo) that contains the evidence locker for your toolchain and a configured Git tool integration that points to this repo.
This tool integration verifies the security and compliance posture of your toolchain by identifying the location of the evidence locker and the path to the evidence summary. For more information about evidence format and structure, see Evidence.
Security and Compliance Center can scan an account or resource group. Those scans can find toolchains and associated evidence, as configured in the Name, Evidence repository name or URL, and Evidence namespace fields within the Security and Compliance Center tool integration.
Configure Security and Compliance Center to embed security checks into your workflows to monitor for security and compliance:
-
If you are configuring this tool integration as you are creating the toolchain, and a Security and Compliance Center tool integration exists within the template that you are configuring, click the Security and Compliance Center tab. Alternatively, in the More tools section, click Security and Compliance Center.
-
If you have a toolchain and are adding this tool integration to it, from the IBM Cloud console, click the menu icon
and select DevOps. On the Toolchains page, click
the toolchain to open its Overview page. Alternatively, on your app's Overview page, on the Continuous delivery card, click View toolchain. Then, click Overview.a. Click Add tool.
b. In the Tool Integrations section, click Security and Compliance Center.
-
Type the name that you want to display for this tool integration on the Security and Compliance Center card in your toolchain. This name is used to identify the tool integration in your toolchain.
-
Specify the Evidence repository name or URL. This is the name or URL of the repo that stores the evidence locker for your toolchain. This repo must correspond to the Git tool integration that you previously added to your toolchain to store your evidence. Currently, only GitHub, GitLab, and IBM-hosted Git are supported. Security and Compliance Center scans run with the user credentials that are configured in the Security and Compliance Center scope. That user must have Git OAuth credentials for this toolchain's region and read access to the evidence repo.
-
Click Create Integration.
-
On your Toolchain's Overview page, on the IBM Cloud tools card, click Security and Compliance Center.
Configuring Security and Compliance Center by using the API
The Security and Compliance Center tool integration supports the following configuration parameters that you can use with the Toolchain HTTP API and SDKs when you create, read, and update tool integrations.
You must specify the tool_type_id property in the request body with the security_compliance value.
| Parameter | Usage | Type | Terraform argument | Description |
|---|---|---|---|---|
| attachment_id | optional, updatable | String | attachment_id | An attachment ID. An attachment is configured under a profile to define how a scan will be run. To find the attachment ID, in the browser, in the attachments list, click on the attachment link, and a panel appears with a button to copy
the attachment ID. This parameter is only relevant when the use_profile_attachment parameter is enabled. |
| evidence_namespace | required, updatable | String | evidence_namespace | The type of pipeline evidence to display in Security and Compliance Center for this toolchain. Valid values are cd (uses evidence that is generated by a continuous deployment pipeline) or cc (uses evidence that
is generated by a continuous compliance pipeline). |
| evidence_repo_name | required, updatable | String | evidence_repo_url | The URL of a Git repo evidence locker. The DevSecOps toolchain templates collect and store evidence for scans and tasks in an evidence repo. Make sure that this URL matches the repo_url for a Git tool integration in this toolchain.
The DevSecOps toolchain goals in the Security and Compliance Center check the evidence repo for the pass or fail results for those goals. |
| instance_crn | optional, updatable | String | instance_crn | The Security and Compliance Center service instance CRN (Cloud Resource Name). It is recommended to provide an instance CRN, but when absent, the oldest service instance will be used. This parameter is only relevant when the use_profile_attachment parameter is enabled. |
| name | required, updatable | String | name | The name of this tool integration. |
| profile_name | optional, updatable | String | profile_name | The name of a Security and Compliance Center profile. You can use the predefined profile "IBM Cloud Framework for Financial Services", which contains the DevSecOps Toolchain rules. Or, use a user-authored customized profile that
has been configured to contain those rules. This parameter is only relevant when the use_profile_attachment parameter is enabled. |
| profile_version | optional, updatable | String | profile_version | The version of a Security and Compliance Center profile, in SemVer format, like '0.0.0'. This parameter is only relevant when the use_profile_attachment parameter is enabled. |
| scc_api_key | optional, updatable | Password | scc_api_key | The IBM Cloud API key used to access the Security and Compliance Center service, for the use profile with attachment setting. This parameter is only relevant when the use_profile_attachment parameter is enabled.
You can use a toolchain secret reference for this parameter. For more information, see Protecting your sensitive data in Continuous Delivery. |
| use_profile_attachment | optional, updatable | String | use_profile_attachment | Set to enabled to enable use profile with attachment, so that the scripts in the pipeline can interact with the Security and Compliance Center service. When enabled, other parameters become relevant; scc_api_key,
instance_crn, profile_name, profile_version, attachment_id. |
Learn more about Security and Compliance Center
To learn more about Security and Compliance Center, see Getting started with Security and Compliance Center.