Overview of the Repo Scan
Repo Scan allows you to see whether your Infrastructure as Code follows best practices with five clicks.
Repo Scan scans existing Kubernetes or Terraform configuration files stored in a Git repository hosted on a Git Provider such as GitHub, Bitbucket, Azure Git and analyzes the repository for risks. After Repo Scan analyzes the repository, Styra DAS generates a compliance report using policy libraries that identify best practice violations (for example, running containers as root or using unencrypted storage).
When you use Repo Scan, a new System is created with auto-initialized rule instances from Styra's best-practices library. These rules are then evaluated against the configured Git repository.
Repo Scan requires OAuth 2.0 access to GitHub repositories. The selected repositories are cloned as a short-term process. Rules are run against a GitHub repository using an Open Policy Agent (OPA).
Configuring Repo Scan through the Getting Started wizard only supports a repository hosted on GitHub. To use other Git providers (for example Bitbucket or Azure Git) refer to creating a Repo Scan System with the API)
Repo Scan does not run analytics on your repository and does not store your code beyond the process used to generate your compliance results.
To remove the GitHub access granted to Repo Scan, go to the GitHub applications page, find the "Styra DAS" entry, and use "Revoke Entry" from the context menu.
Using a Sample Repository
You can test Repo Scan with a public repository, provided by Styra. This option allows you to select "Public repositories" as opposed to "Public and private repositories". The sample repository is Repo Scan. You will need to create a fork of this repository for the repository to appear as an option in the repository selection dialog.
Repo Scan Results
After Repo Scan completes, it opens the compliance view of your new System and displays a list of any identified violations. You can see further details about any violation by selecting a row in the list, which opens a details view. Within the details view, you can further drill down to the policy that flagged the violation through a hyperlink on the rule path.
Using Repo Scan
Use the following steps to run Repo Scan to analyze a GitHub repository for risks.
- Login to Styra DAS.
- When you create a new Styra DAS account, you will automatically see the Getting Started dialog box, which includes Scan a GitHub Repository. If you do not see the Getting Started dialog box, click Help (the ? icon) and then select Getting Started.
- Select I want to deploy or manage OPAs.
- Click Let’s Get Started.
- Select Scan a GitHub Repository.
- Click Continue. The Select GitHub repository scope pane appears.
- Select your GitHub repository scope, Public and private repositories (recommended) or Public repositories.
- Click Continue.
- The first time you use Repo Scan, the Authorize Styra DAS dialog box appears, click Authorize StyraInc. The Choose a repository to scan pane appears.
- Select any repository off of the main (or master) branch with existing Kubernetes or Terraform configuration files.
- Click Scan Repository. A progress bar appears as the Styra DAS System is created and the repository is scanned. The setup and scan typically takes 30 to 45 seconds. Once complete, The Styra DAS UI automatically switches over to the Compliance tab of your newly created Repo Scan System, and displays a list of any violations.
- (Optional) If violations are discovered, review each violation and if warranted, make changes in your repository to resolve the violation. Commit the changes to your repository.
- (Optional) Click Scan Again to rescan the repository to confirm any changes are resolved.
Deleting a Repo Scan System
To delete a Repo Scan System complete the following steps.
- Login to Styra DAS.
- In Systems select your Repo Scan System.
- Click the kebab icon (⋮).
- Click Delete System. A confirmation dialog box appears.
- Type in the name of the System to delete.
- Click Delete.