Skip to main content

Sorts in your CI/CD pipeline

The CI/CD mode can help developers use Sorts to analyze a commit that is pushed to a repository and check what is the probability that the files that are in the commit are vulnerable. Based on the mean probability of all the files in the commit, Sorts can update the rules for allowing the commit to be merged with the main branch in order to give more risky files the attention the user deems necessary.

CI/CD Mode Usage

In order to use Sorts CI/CD mode correctly you will need a configuration file where you can specify how Sorts will handle the commits it analyzes. By default, Sorts will look for a file called sorts_config.yaml located in the root of your repository, however you can also specify the file path by using the --config flag. The file needs to be written in yaml format. The following is an example of a valid configuration file:

ci:
  enable: true
  max_risk: 70
  platform: gitlab
  required_approvals: 2
  approvers: ["user-1", "user-2"]
  token: ENV_VAR_CONTAINING_API_TOKEN

Let's take a look at the function of each parameter:

  • enable: Used for quickly enabling or disabling Sorts in your pipeline.

  • max_risk: How high can the commit mean risk be before you need to assign more approvers.

  • platform: The platform you are using for your development pipeline.

  • required_approvals: The number of approvals that you consider necessary when a commit goes over the max_risk.

  • approvers: The specific users which can approve the commit in case it goes over the max_risk. This parameter can be left empty to indicate that any developer in the repository can approve.

  • token: This is an environment variable which contains a token with API access for Sorts to be able to change the rules for approving the commit.

    tip

    Make sure you don't write the token directly in the configuration file, this would be an exposure of sensitive information in your source code and Sorts only works by using the name of the environment variable that contains the token, not the token itself.

After creating the configuration file correctly and putting it in your repository, you can use our Makes container and Sorts ci mode in your pipeline. For example, in gitlab:

# .gitlab-ci.yml
/sorts:
  image: ghcr.io/fluidattacks/makes/amd64:23.06
  script:
    - m gitlab:fluidattacks/universe@trunk /sorts /platform/path/to/repository

And when someone attempts to merge their commit to the repository, Sorts will act to assign more approvers based on the commit's mean risk and the configuration file that you defined.

Last updated on