Creating a Remediation Recipe

Create a remediation recipe.

  • You must create at least one Knowledge Base. See Creating a Knowledge Base.

    1. Open the navigation menu and click Developer Services. Under App Dependency Management, click Remediation Recipes.
    2. Click Create remediation recipe.
    3. Enter the following information:
      1. A name for the remediation recipe.
      2. Select a compartment from the list of compartments.
    4. Click Next.
    5. To configure the remediation recipe, enter the following information:
      1. Select a knowledge base from the list.
      2. You can choose to automatically trigger a run when vulnerabilities are added or changed in the knowledge base.
      3. For Source Code Management, select a code repository. You can select a DevOps code repository, GitLab or GitHub repository. Enter the following information:
        1. For DevOps code repository, select a repository.
        2. For GitLab and GitHub, enter the repository URL and username. Select the vault and secret to retrieve the GitLab or GitHub personal access token to connect to the repository.

          See Configuring Source Code Management.

        3. Enter a branch name and build file location. See Build Specification.
        4. To merge the pull request automatically if the verify stage succeeds, enable Auto-Merge.
      4. (Optional) For the Detect stage, select the maximum permissible severity. Options include, Critical, High, Medium, Low, None, and Use CVSS Scores.

        If you select the Use CVSS Scores option, then you must enter the max permissible v2 and v3 scores. Vulnerabilities with CVSS v2 and v3 scores less than the mentioned score are excluded in vulnerability audit and remediation.

      5. (Optional) Add application dependencies to be excluded. You can add artifact identifiers (purl or GAV). Use asterisk (*) as wildcard at the end of the exclusion identifiers, for example, com.*).
      6. For the Verify stage, select a build service to verify the recommended app dependency changes. You can choose from the following options:
        1. DevOps build pipeline: Select a build pipeline. See Configuring a Build Pipeline.
        2. GitLab pipeline: Enter the main URL of project you want to use in the external source code management service and username. Select the vault and secret to retrieve the personal access token and trigger token. See Configuring GitLab Pipeline.
        3. GitHub action: Enter the main URL of project you want to use in the external source code management service and username. Select the vault and secret to retrieve the personal access token. Enter the GitHub action workflow file name. See Configuring GitHub Actions Workflow.
        4. Jenkins pipeline: Enter URL of the Jenkins server to use and username. Select the vault and secret to retrieve the personal access token. Enter the Jenkins name for the job to run.
        5. None: Select if you don't want to verify recommendations in the remediation run.

        (Optional) Add parameters names and values to be passed into the pipeline or action run.

      7. For network configuration, select a Virtual cloud network and a Subnet to access the repository, verify pipeline services, and application dependency knowledge base.
        Note

        This isn't applicable if you use the OCI Devops code repository and build pipeline.
    6. Click Next.
    7. Review the configuration settings for the remediation recipe. To change, click Previous.
    8. Define suitable Identity and Access Management policies that are necessary for the remediation run to use the required resources. See Application Dependency Management Policies.
    9. Click Create Remediation Recipe.
    The new remediation recipe is added to the Remediation Recipe dashboard.
  • Use the oci adm remediation-recipe create command and required parameters to create a remediation recipe:

    oci adm remediation-recipe create --compartment-id <compartment_id> --knowledge-base-id <knowledge_base_id> -scmConfiguration <scm_configuration> -mergeConfiguration <merge_configuration> -patchVulnerabilityConfiguration <patch_vulnerability_configuration>

    For a complete list of flags and variable options for CLI commands, see the CLI Command Reference.

  • Use the CreateRemediationRecipe operation to create a remediation recipe.