Configuring Source Code Management
Application Dependency Management (ADM) requires authorization to access the repository.
You must provide this as a token or password that's stored as a secret in a vault. Each of the external source code management tools provide a means of generating the token or password.
This section includes configuring the following repositories:
Configuring an OCI DevOps Code Repository
To configure an DevOps code repository, you must create a repository in the OCI DevOps service if it doesn't exist already. For more information, see Creating a Repository. You can only configure a hosted repository and not any mirrored repository from external sources.
Configuring a GitHub Repository
To configure a GitHub repository, create a personal access token (PAT) using the instructions provided in the GitHub documentation. See Creating a token. The token must follow the principle of least privilege and only have permission to access the repository being monitored by the Application Dependency Management service.
Configure the token with the following parameters:
| Parameter | Setting |
|---|---|
| Expiration | Select a time period appropriate to the project. |
| Repositories | Select top-level option. |
| Workflow | Select the workflow. This is applicable only if you're using the GitHub repository for the build workflow. Use the same token to configure the GitHub build workflow. |
Immediately copy the token to a secure location because you can't retrieve the token later. Store the token as a secret in the vault. See Managing Vault Secrets.
Provide the following information to configure a GitHub repository:
- URL of the repository, for example
https://github.com/example/project. - Username for the repository (corresponding to the token).
- Name of the vault and secret containing a personal access token for the repository.
- Branch of the repository that can be audited, for example
main. - Path to the project build file relative to the root of the project. If no value is provided, the file
pom.xmlis used.
Access to a GitHub project is granted using the personal access token of a user account. We recommend that you create a machine user account, provide it with the minimal amount of project access that's required (including access to the repository), and add it as a collaborator to the project. For more information, see Machine users.
Configuring a GitLab Repository
To configure a GitLab repository, create a personal access token (PAT) using the instructions provided in the GitLab documentation. See Create a personal access token. The token must follow the principle of least privilege and only have permission to access the repository being monitored by the Application Dependency Management service.
Configure the token with the following permissions:
| Permission | Description |
|---|---|
| api | Scope for creating merge requests. |
| read_repository, write_repository | Scope for git clone/git push. |
Immediately copy the token to a secure location because you can't retrieve the token later. Store the token as a secret in the vault. See Managing Vault Secrets.
Provide the following information to configure a GitLab repository:
- URL of the repository, for example
https://gitlab.com/example/project. - Username for the repository (corresponding to the token).
- Name of the vault and secret containing a personal access token for the repository.
- Branch of the repository that's audited, for example
main. - Path to the project build file relative to the root of the project. If no value is provided, the file
pom.xmlis used.
Access to a GitLab project is granted using the personal access token of a user account. We recommend that you create a service account (a separate account that's authorized to access GitLab APIs), provide it with the minimal amount of project access that's required including access to the repository, and add it as a collaborator to the project.