NShiftKey-doc logo NShiftKey-doc

Configuring NShiftKey setting via security_check.rc

You can configure NShiftKey setting via security_check.rc on root of repository. security_check.rc consists of JSON format and the items are as follows.

For more detailed examples of case-specific exception handling using the security_check.rc, please refer here.

The settings of ExcludeDir, ExcludeFile, and ExcludeCheckRule do not apply to open source vulnerability check.

ReportLevel

You can set the security vulnerability level to be reported. The security vulnerability level is set to High, Medium, and Low depending on the severity. (Default: 3)

ReportLevel will be applied to all check(code security check, sensitive data leakage check, open source vulnerability check, sonarqube - bug, sonarqube - code smell).

value coverage
1 Report vulnerabilities with high risk level
2 Report vulnerabilities with high, medium risk levels
3 Report vulnerabilities with high, medium, and low risk levels

ExcludeDir

You can set up folders to exclude from the report results. If you enter a folder path, all results including the folder path entered in the results will be excluded. (Default: Disable)

The top of the path is the root of the repository. For example, if you want to exclude src/test from the repository (test1) in the figure below, you must enter src/test, not test1/src/test.

ExcludeFile

You can set up files to exclude from the report results. If you enter a filename, all results including the filename entered in the results will be excluded. (Default: Disable)

ExcludeCheckRule

You can set detection rules to exclude from the report results. If you enter a detection rule, all results related to the detection rule entered in the results report will be excluded. (Default: Disable)

ScanFileExtension

You can set up file extension to analyze only specific file extensions. Analyze will be performed only the entered extension files. (Default: Disable)

DifferentialAnalysis

You can set up to analyze only modified files. Please refer here(link) (기본값: Disable)

Value Description
0 Disable
1 Enable

DynamicReportAutoClose

As soon as NShiftKey registers the dynamic analysis result as issue, it can be closed automatically. (Default: Disable)

Value Description
0 Disable
1 Enable

SonarVulnSeverityLevel

You can set up default level of SonarQube’s Vulnerability issue type to be reported. (Default: 5)

Value Description
1 Report vulnerabilities with BLOCKER
2 Report vulnerabilities with BLOCKER, CRITICAL
3 Report vulnerabilities with BLOCKER, CRITICAL, MAJOR
4 Report vulnerabilities with BLOCKER, CRITICAL, MAJOR, MINOR
5 Report vulnerabilities with BLOCKER, CRITICAL, MAJOR, MINOR, INFO

SonarBugSeverityLevel

You can set up default level of SonarQube’s Bug issue type to be reported. (Default: 2)

Value Description
1 Report vulnerabilities with BLOCKER
2 Report vulnerabilities with BLOCKER, CRITICAL
3 Report vulnerabilities with BLOCKER, CRITICAL, MAJOR
4 Report vulnerabilities with BLOCKER, CRITICAL, MAJOR, MINOR
5 Report vulnerabilities with BLOCKER, CRITICAL, MAJOR, MINOR, INFO

SonarCodeSmellSeverityLevel

You can set up default level of SonarQube’s Code smell issue type to be reported. (Default: 1)

Value Description
1 Report vulnerabilities with BLOCKER
2 Report vulnerabilities with BLOCKER, CRITICAL
3 Report vulnerabilities with BLOCKER, CRITICAL, MAJOR
4 Report vulnerabilities with BLOCKER, CRITICAL, MAJOR, MINOR
5 Report vulnerabilities with BLOCKER, CRITICAL, MAJOR, MINOR, INFO

PullRequestComment

Use the Comment to display what is found in the newly added or modified content. (Default: Disable)

Value Description
0 Disable
1 Enable

If the Locking conversions function is turned on, a comment is not generated. If you need to create a comment, you must turn this function off.

Precautions

security_check.rc file must exist in the destination branch of Pull Request. security_check.rc in the other branch will not be applied.

Wildcard characters (*) are not allowed within the security_check.rc file.

README.md and security_check.rc files are excluded from the scan by default.