Detect Suspicious Code Commits in Pull Requests¶
Security of software development and code is more important than ever. JupiterOne is capable of detecting suspicious code commits in a git pull request (PR) in two ways:
- Commits self-approved by the code author
- Commits made by a user unknown to the organization
For the detection to work, you will need to:
Enable Pull Request (PR) and commit analysis in the integration configuration in JupiterOne.
This feature is currently supported on Bitbucket integration. Github support is coming soon.
Configure branch permissions in your git source control system to prohibit directly committing to the main branch (e.g.
master) and to require pull request reviews before merging.
This option is typically found under the repo settings. This allows PR analysis to catch the suspicious activities.
When enabled, JupiterOne sets the
validated flags on each
merged PR entity.
You can run a J1QL query to detect “PRs with suspicious activities”:
Find PR with approved = false or validated = false
You can also set up an alert with the above query. You can also integrate this analysis into your DevOps pipeline to check for suspicious commits in PRs before deploying code to production.
How does it work?¶
Detecting self-approved commits¶
At the time of integration execution, or when requested via the API, JupiterOne will analyze the activities on a merged PR to determine if there is any code commit on the PR that was not approved by someone other than the code author.
Isn’t this already configured via branch protection/permissions?
Consider the following scenario:
- Bob writes some code and commits them to a feature branch
- Bob opens a PR with those changes and requests review from Alice
- Alice makes another commit to the same branch and updates the PR
- Alice approves the PR
The PR is considered approved by a reviewer because Bob opened the PR and Alice reviewed it. However, Alice technically approved her own code associated with the commit she made to the branch after Bob opened the PR.
JupiterOne will detect this condition a sets the
approved flag on the PR
The commit hash of the detected suspicious commit is added to the
commitsNotApproved list property.
Combine suspicious commits checking and vulnerability checking for CI/CD¶
You can use the following J1QL query to detect open vulnerability findings that are associated with certain code repos, and use this in conjunction with the PR analysis query previously discussed to make automated decisions for promoting code to production in your CI/CD pipeline.
For example, you can query JupiterOne via API for:
Find Finding with open=true and severity=('Critical' or 'High') that relates to CodeRepo with name='my-new-project' Find PR with id=55 as PR that relates to CodeRepo with name='my-new-project' return PR.approved, PR.validated
And block production deploy if the first query above returns a finding or if
the second query returns