It may sound strange coming from a SaaS company, but we expect many of our users to rarely, if ever, log in to our platform. We feel like we’ve done a good job when developers who want to write secure infrastructure as code (IaC) and cloud deployments can stay in their preferred IDEs, CI/CD tools, and VCS to get security feedback.
That’s why we invest so heavily in our integrations, and why we’re so excited about this upgrade to our repository code comments. Not only will Bridgecrew automatically comment on misconfigurations for resources, it now includes richer context and fix suggestions! And with the new formatting and color-coding, prioritization is a lot easier, too.
Commit secure code without leaving GitHub
Bridgecrew acts as the first line reviewer for pull requests. We have provided misconfigurations in the form of code comments, but now we include additional information, including:
- The Bridgecrew ID, so you can quickly suppress the policy in code from the PR.
- The severity of the policy violation (stylized to help with prioritization).
- The description of the violation, so you can understand the intent behind the policy as you decide whether to correct or suppress the issue.
- Any benchmarks that include the policy so you can understand the compliance implications of the misconfiguration.
- Commit ready fix suggestions to fix the issue automatically right there in the PR.
- Any dependencies for that resource to understand the implication beyond the resource identified.
This additional context gives you all of the information you need to fix misconfigurations right in the pull request, directly on the resource that violates the policy. This minimizes context switching and decreases the time to repair a misconfiguration.
Fix suggestions are now in-line
As a part of the Bridgecrew platform, we’ve provided fixes as commits to open pull requests, separate pull requests back to repositories, and as playbooks in runtime. For example, if you open a pull request to add a new Terraform file to a GitHub repo and you forget to include versioning for an S3 bucket, we provide the HCL to add versioning as a commit back to the pull request.
However, all of these automated fixes require you to log into the Bridgecrew platform. With the update, we are keeping developers in their GitHub repo. We now provide the code fix as a suggestion right in the comment in the pull request. Fixing the code is as simple as accepting the suggestion.
Getting started with IaC security PR comments and fix suggestions
Simply onboard your GitHub account and every new pull request will include these comments full of helpful information. The default is for every misconfiguration for every resource to receive a code comment, but that is configurable where you can skip checks or set a threshold (low/medium/high/critical) for code comments.
To use a fix suggestion, look under the suggestion and select “Commit suggestion” and “Commit changes.” That code will automatically be added, removed, or changed to pass the policy check. In this example, default encryption was added to an S3 bucket that otherwise would have violated multiple PCI, NIST, FedRAMP, and CIS rules.
Code comments are now even more powerful with additional context and fix suggestions. Empower engineers to develop securely with Bridgecrew and GitHub.
Try out automated code comments by signing up for our free 14-day trial and integrating your GitHub account.