...
We understand, that not everyone feels comfortable executing remote scripts. That is why there are two ways of setting up WhiteSource Diffend and you can choose which one suits you better.
...
Navigate to your organization projects list.
Click on the Setup button.
In the setup view, navigate to the By applying changes manually section.
To set up WhiteSource Diffend, create a .
diffend.ymlfile in the main directory of the project and copy-paste the configuration settings from the UI.
Follow the remaining instructions specific to the package manager you are using.
...
Navigate to your organization projects list.
Click on the Setup button.
In the setup view, navigate to the With our setup script (Ruby only) section.
Copy the displayed command into your shell and press enterEnter.
Once you've executed the script, you will end up with a URL pointing to your first security verdict.
...
| Info |
|---|
The easiest way to set up your project is to run the install script and follow the instructions. |
Running Diffend Checks
WhiteSource Diffend plugin runs automatically when the following commands are executed:
...
Whenever you run any of those commands, WhiteSource Diffend will make sure that the packages you are trying to download or use are safe and that they meet all the requirements of the organization. This process is fully automatic and you do not have to do anything.
The secure command can be used as a separate step in a CI/CD pipeline to ensure everything is as expected.
In case WhiteSource Diffend would stop the bundle process, it will exit with an exit code 1 and will print out the security verdict URL that you can visit for more details.
| Info |
|---|
WhiteSource Diffend won't stop the execution of any exec commands. Instead if needed, it will issue a warning verdict on the UI. |
| Info |
|---|
WhiteSource Diffend works automatically each time you run bundle commands. |
...
Security verdicts are an essential part of WhiteSource Diffend. They ensure that all of your organization requirements in the context of each bundle operation are met. That way we can prevent the usage of packages and their versions that could cause engineering and legal harm.
...
Any non-allow verdict means, that something is not meeting with your organization organization’s security and quality requirements.
...
Note: Direct packages and versions usage override on the verdict page do not work for all the guards yet.
...
| Info |
|---|
WhiteSource Diffend is configurable because a single optimal set of settings does not exist. A lot depends on the type of organization you are in, projects you build, and customers you have. If you have any doubts or need any help figuring out a proper setup for yourself, don't hesitate to contact us. |
...
Setting up maximum verdict for particular commands
When using WhiteSource Diffend in a legacy system, you may notice, that getting things to a stable and secure state may take a while.
To prevent WhiteSource Diffend from blocking all of the commands, you may lower the maximum verdict it reports.
...
Continuous Integration and Delivery environment setup
WhiteSource Diffend protects every crucial bundle command out of the box, but you can still easily set it up as a separate step within your Continuous Integration and Delivery system.
...
Deployment and production environment setup
WhiteSource Diffend requires minimal effort to make it work with the majority of ways you can deploy your applications. If there are no hints below for your way of deployment, it means, that all you need to do is:
...
| Info |
|---|
Notifications are a great way to make sure, that your team becomes aware of emerging vulnerabilities the moment they are detected. |
Connecting WhiteSource Diffend to Slack
Navigate to the Notifications settings page of your organization.
Press the
herelink visible in the information box. You will be redirected to the Slack platform settings page.
Select a channel where you want WhiteSource Diffend to post security notifications and press the Allow button.
You will be redirected back to the WhiteSource Diffend notification settings page and a Slack welcome message will be sent to your workspace channel.
Notifications events
WhiteSource Diffend sends messages based on events that occur while protecting your applications. Below you can find a list of the events that trigger notifications, together with their short descriptions and other useful details.
Event name | Event type | Command | Environment | Description |
|---|---|---|---|---|
New bundle state detected | Information |
| Other than | WhiteSource Diffend emits message based on this event whenever you deploy changed to your Awareness of newly updated libraries deployed can help you debug when your new code presents unexpected behaviors. |
New verdict detected | Warning |
| Other than | WhiteSource Diffend emits a message based on this event whenever the verdict associated with your deployment has changed. |
Bundle secure execution alert | Warning |
| Any | WhiteSource Diffend emits a message based on this event whenever there is anything in your |
...
Yes. This file contains only shareable keys with write-only permissions. The only thing you need to keep in mind in case of an open-source projects, is that you will see results of all the security checks of whoever runs your project.
...
Do you send private packages credentials to your servers?
No. All the private repositories repository credentials and other private data is being stripped away before anything is being sent to us.
...
First of all, try to reinstall the plugin by running the following commands in your project root directory:
...
Does WhiteSource Diffend take into consideration Bundler groups?
...
That is why it is essential to use both the plugin and the monitor to integrate WhiteSource Diffend within your CI system.
...