IaC Security FAQs
Pull Requests
How do I control when pull request status checks pass or fail?
Pull request status checks will fail when all of the following are true:
- One or more
CRITICAL
orHIGH
findings are found in the pull request. This can be configured. See below. - The findings in the head branch of the pull request differ from the findings in the base branch.
The logic behind (1) is that you probably don't care about MEDIUM
and LOW
severity findings enough to block the pull request.
The logic behind (2) is that if the pull request is not altering the security posture of your code, there is not a reason to fail the pull request status check. For example, if the PR is a change to a README, there is no reason to fail the PR status check.
How do I control the pull request status check thresholds?
Create a file called .lacework/config.yml
in your repository.
In it, add the following:
pr_status_thresholds:
critical: 0
high: 0
medium: 999
low: 999
You can adjust these default values to suit your needs.
When are pull request comments added?
Pull request comments are added when both of the following are true:
- There is a change in findings between the feature and base branch. If the pull request didn't alter the findings, there will be no comment added.
- The pull request commit status check was set to failed. By default, PR status checks will be set to failed if there are one or more
critical
orhigh
findings.
We are trying to minimize to total amount of noise from pull request comments. It is very helpful to have them, but can be quite irritating if there are too many.
Pull request comments can be disabled entirely.
How do I enable/disable pull request comments?
In your repository, add a file .lacework/config.yml
. Inside that file, set pr_comments_enabled
to false
:
pr_comments_enabled: false
This will disable pull request comments for this repo.
Git Providers
Do you support GitLab?
Yes. You can run iacbot with gitlab.com by integrating the iacbot through Soluble.
Do you support Bitbucket?
Yes. You can run iacbot with Bitbucket.org by integrating the iacbot through Soluble.
Github Organizations
My Organization Is Not Visible
If you don't see your GitHub organization in the upper right of the iacbot dashboard, you may not have the GitHub app installed in the GitHub org.
To verify this, go to the GitHub iacbot App
And make sure that the app is correctly installed.
If this still does not correct the problem, you may need to go to the GitHub Application Settings.
Under the "Authorized OAuth Apps" tab, select "Lacework IaC Security" and verify that the GitHub organization is granted access.
Click Grant next to your Organization(as shown above). After you have done that, you will need to sign out and sign back in to Lacework IaC Security.
I See A Github Organization I Don't Want/Need
Similar to the previous FAQ, you may need to go to the GitHub Application Settings.
Under the "Authorized OAuth Apps" tab, select "Lacework IaC Security" and deselect organizations that you do not want Lacework IaC Security to access.
note
If you have multiple Lacework accounts and wish to map different Github organizations to different Lacework accounts, you may need to use a separate Github user account for each Lacework account in order to permit or deny organization access to meet your needs.