Introducing Code Repository Settings: Fine tune your IaC scanning feedback

To surface the most relevant and timely security feedback to developers, Bridgecrew is designed to scan infrastructure as code (IaC) early and often.

In addition to periodic full-repository scans, our platform and suite of dev tools continuously scan for security misconfigurations throughout the development lifecycle—pre-commit via IDE extensions and our command-line interface (CLI) or post-commit via CI/CD and VCS integrations.

When Bridgecrew scans get kicked off by new commits or CI/CD builds, feedback specific to those code changes gets surfaced in Code Reviews. Within each Bridgecrew Code Review run, you can review all identified misconfigurations and implement security-as-code fixes before they’re deployed:

Bridgecrew Code Reviews UI

Bridgecrew’s VCS integrations also provide feedback directly into pull/merge requests as comments similar to peer review discourse. To make feedback as actionable as possible, pull request comments alert developers of misconfigurations being introduced in that specific code change, not the entire code base:

Bridgecrew GitHub pull request comments

For agile teams, however, getting constant security alerts across projects and policies can be at odds with moving fast. And if security feedback (even automated security feedback) produces too many blockers or  too much noise, developers will inevitably start ignoring alerts or looking for workarounds.

To avoid that friction, DevOps teams need the flexibility to determine the right balance of what errors get flagged and how strictly feedback is enforced.

With Bridgecrew’s new configurable Code Repository Settings, you can do just that.

Fine-tuned for relevance and importance

Bridgecrew now enables you to configure how IaC security scanning feedback gets surfaced to developers and what types of policies get flagged.

With Code Repository Settings, you can:

  • Exclude specific directory paths from Bridgecrew scans
  • Enable/disable Code Reviews and/or pull request comments
  • Exclude specific policies from being flagged in Code Reviews or pull request comments
  • Define which policy severities get flagged in either Code Reviews or pull request comments

When combined, these settings allow greater control for alerting on and blocking code merges based on your organization’s priorities. For example, you can choose to fail (and optionally block) all code from being merged that contains critical misconfigurations and surface informational PR comments for the rest. That way, developers can merge code containing lower severity misconfigurations while being notified that there are issues worth addressing in the future.

By balancing informational feedback with enforced guardrails, developers stay mindful of security and compliance considerations but aren’t blocked on issues that aren’t mission-critical.

Head to your Bridgecrew Code Repository Settings to check out the features for yourself!