**This service is currently in Beta

Dash ComplySource is new Dash scanning service that enables teams to detect configuration and compliance issues across source code repositories. Security teams can connect version control systems (including Github, GitLab, and Bitbucket) to scan and find potential security issues across source code and infrastructure-as-code (IaC) files before they reach production.

Below you can read steps for utilizing Dash ComplySource and Infrastructure-as-Code (IaC) scanning in your source code repositories:

Setting Up Dash ComplySource

Dash ComplySource can currently scan and detect issues with filetypes including Ansible files, Terraform files, Dockerfiles, K8S, CloudFormation files, OpenAPI files.

You can connect once or more source code repositories to ComplySource scanning.

  1. Ensure that your team has Dash v2.10.0 or above

  2. Login to Dash ComplyOps

  3. Navigate to the Dash ComplySource configuration page

    1. Go to Action Center > Click “Configure Dash ComplySource”

  4. Click the “Connect Code Repository” button

    1. You will be presented with instructions for connecting GitHub, Bitbucket, and/or GitLab repositories.

    2. You will need to connect a version control repository to Dash ComplySource to start scanning of source code and Infrastructure-as-Code (IaC) files.

    3. Follow all instructions for setting up source repositories with ComplySource.

Disconnecting a Repository From Dash ComplySource

Your team can take the following steps to disconnect a source code repository from Dash ComplySource/ComplyOps.

Github:

  1. Go to you repository and remove file "/workflows/ecs-scan.yml" then commit and push changes

  2. In Action Center > Configure ComplySource > Click “Remove Repo” button

Bitbucket:

  1. Go to you repository and remove file "bitbucket-pipelines.yml" then commit and push changes

  2. In Action Center > Configure ComplySource > Click “Remove Repo” button

GitLab:

  1. Go to you repository and remove file ".gitlab-ci.yml" then commit and push changes

  2. In Action Center > Configure ComplySource > Click “Remove Repo” button

Using Dash ComplySource

Once your team has configured your source code repositories with Dash ComplySource, you can view scans and issues inside of the Dash application.

  1. Login to Dash

  2. Navigate to the “Compliance Center” > Click on the “Dash ComplySource” tab

  3. You should the latest scan information related to your connected repositories.

Viewing Repos/Commits

  • If you have multiple source code repos connected to Dash, you can select the repository under the dropdown.

  • You will see Git commits shown in chronological order with the latest commit showing at the top for the related repository.

  • You can add a source code repository to Dash by clicking the “+” button or navigating to the Action Center and clicking “Configure ComplySource”

  • To view ComplySource detected compliance issues related to a commit, you can click on a specific “commit” row

Viewing Commit Issues List

You can view ComplySource detected compliance issues related to a commit, by clicking on a specific “commit” row.

  • Dash will show a list of all security findings related to the source repository (similar to the image above)

  • Issues are shown for the selected commit with info on “Priority”, “Type”, “Items” (Number of times an issue occurs), and “Date” (detected).

  • You can view individual issues by clicking on the issue row.

Viewing Individual Issues

You can view ComplySource detected compliance issues related to a commit, by clicking on a specific “commit” row.

Individual issue pages show the following information:

  • Compliance Standards: Currently SOC 2 mappings are shown for related ComplySource issues

  • Related Policies: All policies related with a ComplySource issue is displayed

  • Issue: Describes the current issue or security concern with the file(s) with the issue

Affected Objects show information including:

  • File: The file directory in the source repository related to the security issue

  • Commit: The commit hash related with the current security issue finding

  • File Name: The file name with the security issue

  • Last User Commit: The source code user who made the latest commit with this issue

  • Finding Information: Information about the expected text or settings in the file/issue with the source file.

  • Actions: You can click on the links to view the file affected by the security issue as well as the view the source code commit related to the issue.

Resolving Issues

Dash ComplySource does not have a particular resolve function, since each commit for a branch or repo is scanned.

  • If your team corrects a security issue found in Dash ComplySource, this issue should be “committed” in the source code repository.

  • Dash ComplySource will scan this commit and if correct should show a lower issue count.

  • Example: If your team has a source repository with 50 issues, if you solve 10 of these issues in the codebase and commit the changes to the repository, that new commit show show up in Dash ComplySource dashboard with 40 issues now shown.

Current Limitations

  1. Dash ComplySource software will not scan the GitHub repository if the repo contains a GitHub submodule.

  2. If there is a folder/file with a name containing spaces in the Git repo, it will occur scan fail (no scan result in Dash app)

These are current limitations the Dash team is working to address in the near future.

Potential Issues

If your team runs into issues with using Dash ComplySource, you may consider the following scenarios for troubleshooting issues:

The scan branch and selected branch are different.

Problem: In the git configuration file (.yml file), the selected branch for the scan is different to pushed branch

Solution: Correct branch in the git configuration file. The branch where files are pushed should be the same as in the configuration file

Your source repository uses an expired token

Problem: Last time, all is worked but stopped working after some time, and in git action, you see the error

Possible solution: Check the git user access token. If the expired token needs to generate a new one and replace it in environment variables

A git action did not send anything

Possible solution: Check all environment variables in your repository

After changing “Domain and SSL configuration“ ComplySource scanning does not work

Solution: Update DASH_API_ENDPOINT value in git secrets

General Troubleshooting Steps

  1. Check typical ComplySource issues

  2. Check Git environment variables like license etc.

  3. Push git changes again and wait 10-20 minutes.

Scanning may take more time for larger repositories