Skip to main content

IaC Security FAQs

Pull Requests

How do I control when pull request status checks pass or fail?

Pull request status checks will fail when all of the following are true:

  1. One or more CRITICAL or HIGH findings are found in the pull request. This can be configured. See below.
  2. The findings in the head branch of the pull request differ from the findings in the base branch.

The logic behind (1) is that you probably don't care about MEDIUM and LOW severity findings enough to block the pull request.

The logic behind (2) is that if the pull request is not altering the security posture of your code, there is not a reason to fail the pull request status check. For example, if the PR is a change to a README, there is no reason to fail the PR status check.

How do I control the pull request status check thresholds?

Create a file called .lacework/config.yml in your repository.

In it, add the following:

pr_status_thresholds:
critical: 0
high: 0
medium: 999
low: 999

You can adjust these default values to suit your needs.

When are pull request comments added?

Pull request comments are added when both of the following are true:

  1. There is a change in findings between the feature and base branch. If the pull request didn't alter the findings, there will be no comment added.
  2. The pull request commit status check was set to failed. By default, PR status checks will be set to failed if there are one or more critical or high findings.

We are trying to minimize to total amount of noise from pull request comments. It is very helpful to have them, but can be quite irritating if there are too many.

Pull request comments can be disabled entirely.

How do I enable/disable pull request comments?

In your repository, add a file .lacework/config.yml. Inside that file, set pr_comments_enabled to false:

pr_comments_enabled: false

This will disable pull request comments for this repo.

Git Providers

Do you support GitLab?

Yes. You can run iacbot with gitlab.com by integrating the iacbot through Soluble.

Do you support Bitbucket?

Yes. You can run iacbot with Bitbucket.org by integrating the iacbot through Soluble.

Github Organizations

My Organization Is Not Visible

If you don't see your GitHub organization in the upper right of the iacbot dashboard, you may not have the GitHub app installed in the GitHub org.

To verify this, go to the GitHub iacbot App

And make sure that the app is correctly installed.

If this still does not correct the problem, you may need to go to the GitHub Application Settings.

Under the "Authorized OAuth Apps" tab, select "Lacework IaC Security" and verify that the GitHub organization is granted access.

Grant OAuth permissions

Click Grant next to your Organization(as shown above). After you have done that, you will need to sign out and sign back in to Lacework IaC Security.

I See A Github Organization I Don't Want/Need

Similar to the previous FAQ, you may need to go to the GitHub Application Settings.

Under the "Authorized OAuth Apps" tab, select "Lacework IaC Security" and deselect organizations that you do not want Lacework IaC Security to access.

Grant OAuth permissions

note

If you have multiple Lacework accounts and wish to map different Github organizations to different Lacework accounts, you may need to use a separate Github user account for each Lacework account in order to permit or deny organization access to meet your needs.