Jit for Developers

Overview

This section uses an example scenario to illustrate how developers use Jit in day-to-day operations.

📘

While the product security champion is responsible for deploying Jit and managing the product security plan, developers are responsible for spotting security findings that Jit uncovers during day-to-day operations.
Jit provides developers with a native GitHub experience that keeps them in the environment they are used to without the need to context switch to a different 3rd party solution.

Example

1. Developer Creates the Pull Request

Code-layer security requirements run when a developer creates a pull request via CLI, IDE or — as in this example — GitHub. In this scenario, the developer has made code changes that contain the Python code security vulnerability below.

import subprocess
output = subprocess.check_output(f"nslookup2 {domain}", shell=True, encoding='UTF-8')

📘

Note

In this scenario, branch protection rules are configured to prevent merging if the Jit Security check fails. Jit Security acts as a parent check that only succeeds when all other Jit checks in the pull request are also successful.

2. Welcome Message Displays

The developer views the welcome message in the pull request conversation. This message presents the security plan and its constituent security requirements, which are automatically implemented by Jit. Each developer in the monitored organization receives this message a single time.

3. Jit Checks Run

Jit listens to pull requests and examines their content. If the code language is supported, Jit automatically implements the relevant security requirements, which run as GitHub actions. In this example, Jit runs Bandit, OWASP Dependency Check, and Gitleaks.

The Python Code Scanning (Bandit) check fails. Branch protection rules require this check to pass before the pull request can be merged. As a result, the option to merge is disabled.

4. Developer Views Security Findings

Jit displays any security requirement findings in the pull request conversation using a common, unified format.
For each finding, Jit presents the following:

📘

Finding Format

Sample of flagged code

Security tool: The security tool that produced this finding.

Type: This information varies by security tool. In this example, it is the specific Bandit (Python code scanner) test used to detect this type of vulnerability.

Description: This information varies by security tool. In this example, it is description text for the Bandit test used to detect this type of vulnerability, retrieved from Bandit's documentation.

Severity: The severity level of this finding

Learn more about this issue This is a link to documentation on the security finding type.

Additionally, security findings display as notifications in Slack. For information on integrating Slack, and other tasks related to the Security Champion role, see Integrating with Slack in the Security Champion Experience.

5. Developer Dismisses Security Findings

Developers have the option to circumvent branch protection rules if they have reason to believe the finding is a false positive, or intend to resolve the issue at a later time. The developer issues the #jit_ignore_finding command inside a comment to ignore this finding. The Jit bot confirms the operation with a thumbs-up emoji.

📘

Jit Bot Commands

#jit_ignore_finding — Ignore the specific finding in this repo.
#jit_ignore_type_this_repo — Ignore any finding of this type in this repo.
#jit_undo_finding — Undo the ignore command made on the specific finding in this repo.

📘

Note

As shown in this example, it is possible for a user who does not have privileges to change branch protection rules to circumvent them using Jit bot commands. Jit recommends updating your organization's standard operating procedures to ensure that stakeholders are consulted before the decision to ignore a finding is made.

6. All Checks Pass

There are two ways to unlock the option to merge the pull request.

A. The developer can fix the finding and re-run the checks.
B. The developer can run a command to ignore the finding.

Both of the above options result in all successful status checks, which enables the option to merge.


What’s Next

For comprehensive information on Jit's available security requirements, see the Security Plan Reference via the link below.

Did this page help you?