Manage and secure Git code repositories

As an application owner or platform administrator, you need to ensure your code repositories aren’t at risk from libraries that have reached end of support (EOS) or suffer from security vulnerabilities that require updates. You can onboard and monitor your Git repositories in Tanzu Platform hub to view and update the status of your libraries.

This topic explains how to configure a Git repository in the hub, run an analysis on repositories, and review results.

Configure a new Git repository

Before you can run an analysis on a Git repository, you must configure it in Tanzu Platform hub. The hub can only analyze repositories hosted on GitHub and GitLab.

To collect the data from repositories, configure a worker group running in your environment and then publish data to Hub running on SaaS. Worker groups are a combination of multiple workers(containers) that run in customer environment and publish data to Hub. A platform administrator configures the Git Server URL to collect data and provides credentials that have access to one or more Repositories under the URL.

Git data collection is configured under organization level scope. That means it is not tied to any individual project.

  1. In your local environment, provision a Windows or a Linux virtual machine to host the Git worker.

  2. Install Docker on the virtual machine. See Install Docker engine for more information.

  3. Verify the Docker engine is installed by running the command:

    docker --version.

  4. In Tanzu Platform hub, click Setup & Configuration > Worker Groups.

  5. Click New Git Worker Group to create a new group.

  6. Expand the first panel, then fill in the Worker Group Name and Description fields.

    Note:
    Only Tanzu Hub administrators can create a worker group. If needed, contact your Tanzu Platform administrator to request the Tanzu_hub_admin role.

    Create a new Git Worker Group

  7. Copy the Worker deployment script provided on the second panel. Replace the following placeholder values with the actual values:

    Placeholder value Description
    Refresh Token See the following section about Generate a refresh token.
    GIT_TYPE GitHub or GitLab
    GIT_ENDPOINT The URL to your repository
    GIT_PERSONAL_TOKEN Set up a personal token from GitHub or GitLab.

  8. Run the Worker deployment script in the command line for the machine that will host the worker group.

  9. Click Finish.

The newly created worker group will be listed in the Git Worker group view.

Note:
It is a common practice to configure one worker group per Git server URL. Once the worker starts running, it lists all the repositories accessible to the supplied credentials. These repositories can then be managed for further analysis from the “Run Analysis” section below.

Generate an refresh token

After configuring the Git repository for data collection, create an API token in Tanzu Platform cloud services to start the Git worker:

  1. In Tanzu Hub, click your user name, then click My Account.

  2. Click the API Tokens tab, click Generate a New API Token. Enter the required information, and click Generate. The API token can be used as the Refresh Token in the .

  3. Use the API token as the refresh token when running the Worker deployment script.

Run an analysis on a repository

Once you add a repository, you can run an analysis on it to determine the support and vulnerability status of your libraries:

  1. In Tanzu Platform hub, navigate to Applications > Repositories.

  2. Locate the repository you added in the list, then click the checkbox next to it. You can also filter by last commit date or search this list for the repository name.

  3. Click ANALYZE NOW to initiate analysis, or ANALYZE DAILY to schedule analysis daily.

    Wait for the results to populate. You may have to refresh the UI to get the latest state.

The repositories on this list might provide code to multiple applications. You can explore the relationships in more depth by clicking the Apps and Microservices count and navigating to the Application view.

Run a repository analysis

Review the results of a repository analysis

After the scan is complete, you can view the repository to see the findings. For a more granular view you can also click on the repository and see individual libraries.

You can click a repository in Applications > Repositories to view data about your repository.

Widget Description
Top Repos with EOS Libraries Displays the top five repositories based on maximum benefit that can be achieved with minimum effort. Select the upgrade level between Medium Effort and High Effort to observe the improvement in EOS libraries.
Top Repos with Vulnerabilities Displays the top five repositories based on maximum benefit that can be achieved with minimum effort. Select the upgrade level between Low Effort, Medium Effort and High Effort, to observe the improvement in vulnerabilities.
Top Recommendations Top five recommendations about repositories with a combination of EOS libraries and vulnerable libraries that can be fixed with minimum effort.

Top Repos with EOS libraries

Top Repos with EOS Libraries

Top Repos with Vulnerabilities

Top Repos with vulnerabilities

Top Recommendations

Top Recommendations

View repository details

To explore the details for a Git repository, click a repository name and open the repository details. The details page provides the following data about your repository

Widget Description
Findings Provides a summary of libraries that are out of support and libraries that contain vulnerabilities.
Recommendations Provides a summary of all libraries that must be upgraded to fix the issues summarized in the Findings widget.
End of Support analytics Highlights the current state and a projected state that is possible by upgrading libraries. user can select Medium or High effort and projections are shown accordingly. This widget includes libraries that are currently end of support, libraries that will run out of support in three months, and libraries that are in support.
Vulnerability Analytics Highlights the current state and a projected state that is possible by upgrading libraries. You can select Low, Medium, or High effort to view the projected vulnerability patches. This widget includes vulnerabilities that are critical, high, moderate and low in terms of criticality.
Spring Runtime Support Status Over Time Highlights the count of unsupported and supported libraries and how they vary over a period of time.

Repo details view

Download the report

Click on the download button in the Top right corner to download the PDF report for a given repository.

View the details of libraries in a given repository

To view library details, click any repository to see the Libraries view. The Libraries section contains a list of all libraries within the repository and lists their support status and vulnerability status.

Click any library in the list to view detailed information about the library and recommended upgrade version.

Libraries view

Based on the findings and recommendations, decide whether you should perform a patch upgrade (1.0.X), minor upgrade (1.X.0), or major upgrade (X.0.0) on the repository.

Hide repository details

You can keep your repository view focused on the most critical items by hiding repositories that are not of interest or associated with your application or team:

  1. In Tanzu Platform hub, navigate to Applications > Repositories.

  2. Click the checkbox next to any number of repositories you want to hide.

  3. Click Hide.

Hidden repositories don’t appear in the default view. You can make them visible again by clicking the Show Hidden checkbox. When you a hide a repository, it is hidden for all users and does not appear in any of the Top Repo Widgets.

check-circle-line exclamation-circle-line close-line
Scroll to top icon