Skip to main content

Settings

The settings tab of the application details section allows you to:

  • Set a default branch for your application;
  • Configure the version control integration, which allows you to review the affected source code corresponding to the finding.
The Qwiet dashboard's Settings tab

Default branches

For each application that you scan with Qwiet preZero, you can set a default branch—setting a default branch essentially "pins" a branch so that the scan information for that branch displays whenever you open up an application in the dashboard.

If you do not have a default branch selected, Qwiet will display information for the latest scan of that application, regardless of branch.

Set a default branch

To set your default branch:

  1. Log into Qwiet and navigate into the application of interest.
  2. In the menu bar, click Settings.
  3. Under Default Branch, use the drop-down menu to select the branch you want to be your default.
  4. Click Set Branch to save your changes.

Default branches are set per user; the default branch for one Qwiet user may differ from that of another Qwiet user, even though they're working with the same application.

Version control integration

For each application whose code is analyzed and results are tracked by Qwiet, the dashboard allows you to view the source code location where Qwiet identified a vulnerability. In other words, Qwiet can provide URLs that, when used, will direct you to the specific source code lines where the vulnerability occurs.

Background

By default, Qwiet attempts to infer the correct URL schema automatically. For example, if you run Qwiet preZero from a directory that's also a Git repo, Qwiet automatically attempts to read the URL of the remote contained in the Git metadata. This URL informs the UI regarding hyperlink behavior.

However, if you are:

  • Running Qwiet from a directory that's not a Git repository
  • Using a version control system that does not follow the URL conventions of GitHub, GitLab, or Bitbucket

You can provide the modifications necessary so that Qwiet can show you where your code-specific vulnerabilities can be found.

Configuring the version control integration

Under Settings, click Configure VCS URL.

To integrate your version control system with Qwiet, provide your application's source code URL. Qwiet offers a series of templates based on the version control system you use to format the URL correctly:

VCSTemplate
GitHubhttps://github.com/{repo_user}/{repo_name}/blob/{ref}/{repo_path}/{file_path}#L{line_from}-L{line_to}
GitLabhttps://gitlab.com/{repo_user}/{repo_name}/blob/{ref}/{repo_path}/{file_path}#L{line_from}-L{line_to}
Bitbuckethttps://bitbucket.org/{repo_user}/{repo_name}/{repo_path}/{file_path}#lines-{line_from},{line_to}
Customhttps://{repo_host}/{repo_user}/{repo_name}/{repo_path}/{file_path}/{file_path}#L{line_from}-L{line_to}
The version control integration panel in the Qwiet dashboard

Notes:

  • You can append _escaped to any of these placeholders (i.e., {file_path_escaped}), which escapes the values for URL queries.
  • You can use {commit_or_ref} instead of {ref}. If so, the placeholder will be replaced with the commit hash if available (otherwise, it will be replaced with ref). However, some version control systems may not accept this value since the commit hash may correspond only to a local copy.

Once you've provided the URL to your source code, click Save VCS URL. At this point, your dataflow information contains active hyperlinks that will lead you to where the identified vulnerability is in the source code.

Editing your VCS URL

You can change the URL or see the templates again at any time by clicking Edit URL after the initial configuration.

Modifying the source code file paths used

If your repo's file structure doesn't match the predefined templates Qwiet preZero uses, you can provide modifications when running sl analyze.

The --vcs-prefix-correction flag allows you to append information to create the correct file paths for your code:

sl analyze <parameters omitted> --vcs-prefix-correction "prefixToMatch=prefixToAdd"

Sample usage / usage notes

If you include the following flag when running sl analyze...:

--vcs-prefix-correction "/io/shiftleft=/path/prefix/to"

Qwiet preZero will find all instances of /io/shiftleft and prepend /path/prefix/to to form /path/prefix/to/io/shiftleft.

You can include as many --vcs-prefix-correction flags as necessary, but each prefix is mutually exclusive (the exception is if you use *). So, if you run:

sl analyze ... --vcs-prefix-correction "*=/src/main" --vcs-prefix-correction "/io/shiftleft=/path/prefix/to"

Then Qwiet preZero converts:

  • /com/shiftleft/utils into /src/main/com/shiftleft/utils
  • /io/shiftleft/stream/utils into /src/main/path/prefix/to/io/shiftleft/stream/utils

The * is a special case that means "prefix all" and will be applied with any other prefixes you supply; it is not a wildcard. So, if you use *=/src/main, Qwiet preZero will add /src/main to the start of all your file paths.

Inferences

Qwiet preZero may infer version control information and provide links based on the running containers' environment variables.

For example, if the GITHUB_RUN_ID is present, Qwiet preZero assumes that you're running Qwiet preZero against a GitHub repo via GitHub Actions. Alternatively, if you're running Qwiet preZero using Jenkins, the GIT_URL or GITHUB_REPO_GIT_URL plus BRANCH_NAME, GIT_LOCAL_BRANCH, or GIT_BRANCH provides branch-related information.

However, Qwiet preZero supports the use of the following environment variables; if you set any of these, they will be used instead of the values that Qwiet preZero inferred from your run environment. Note that these values are inferred using the information available on a per-scan basis (and not per project).

  • SL_VCS_TEMPLATE: A custom VCS template (e.g., formula to use to determine how Qwiet preZero creates your VCS links such as https://{repo_host}/{repo_user}/{repo_name}/blob/{ref}/{repo_path}/{file_path}#L{line_from}-L{line_to})
  • SL_VCS_REPO_NAME: The custom name to be used as your repository name
  • SL_VCS_USER_NAME: The custom username you want to be used (can be an organization name)
  • SL_VCS_COMMIT_ID: The commit ID you want Qwiet preZero to use
  • SL_VCS_BRANCH_REF: The branch reference you would like Qwiet preZero to use
  • SL_VCS_RELATIVE_PATH: The relative path between the root of your repository and the project that you're analyzing (e.g., the path between the root github.com/yourOrg/monorepo and the app being scanned github.com/yourOrg/monorepo/java/apps/appScanned)
  • SL_VCS_ORIGIN_URL: A custom upstream URL

For Azure users

When setting up VCS in the dashboard, select a Custom URL template and use the following:

https://dev.azure.com/<YOUR_AZURE_ORG>/<YOUR_PROJECT_NAME>/_git/<YOUR_REPO_NAME>?path={file_path_escaped}&version=GB{commit_or_ref}&line={line_from}&lineEnd={line_to}&lineStartColumn=1&lineEndColumn=1&lineStyle=plain&_a=contents

Be sure to replace <YOUR_AZURE_ORG>, <YOUR_PROJECT_NAME>, and <YOUR_REPO_NAME> with your values.

Enable AI-derived findings

If you'd like Qwiet AI to generate dynamic policies and display AI-derived findings for your application, you can toggle this feature on/off using AI-derived findings. You can choose one of the following settings:

  • Inherit: Inherits the org-level setting (i.e., if you have AI-derived findings enabled for your org, then you'll also have it enabled for the app)
  • Enable: Enable AI-derived findings for only the app
  • Disable: Disable AI-derived findings for the app

Once you've enabled this finding, you'll see AI-derived findings in the results for your application.