Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

Creating a Security Scorecard in Compass

 

With every new evolution of technology, your organization needs another layer of security. However, with security comes governance which can be overwhelming for teams delivering projects. It often slows them down as they work through all of the compliances that need to be put in place for safe delivery.

Scorecards help delivery teams know what is expected of them upfront, meaning no rework at the end of a delivery cycle.

With scorecards, organizations can take control of the standards they put in place and make sure those are being met. That way teams that work on governance can be confident they’re meeting all the requirements. With scorecards, the focus is shifted towards teams who need help and the need for long meetings is effectively reduced.

 

 

Getting started

Pre-requisites

  • Populated instance of Compass with software components

  • Snyk Enterprise plan

We’ll be creating a security scorecard using the Snyk data available after it is connected to Compass. In the end, you’ll have a security scorecard that tracks the amount of open high and critical vulnerabilities for all the linked software components in your organisation.

If you’re new to Compass, we recommend reading up on some of our pages to get you familiar with it faster:

What is Compass?

 

 

Connect Snyk with Compass

If we want to use Snyk data for our scorecards, we’ll need to ensure we have a Snyk Enterprise Plan. To install the Snyk app follow these steps:

  1. From the top bar navigation menu in Compass, select Apps.

Screenshot 2024-08-15 at 2.19.16 PM.png

 

  1. Here you’ll find all the applications that can be added to Compass. Look for Snyk.

Screenshot 2024-08-15 at 3.07.19 PM.png

 

  1. To install it, click on the Get App button.

Screenshot 2024-08-15 at 3.08.33 PM.png

 

  1. Once you get the app, you need to configure it. You will need to enter the token for a service account associated with your Snyk group and enter it under Group API Key. Follow these steps to create a service account group. The Snyk group is necessary to enumerate all the organisations within it, allowing you to select and connect them to Compass. For the Snyk Group ID and where to find it, follow this documentation.

Screenshot 2024-08-16 at 2.42.47 PM.png

 

  1. Find the organisations that you want to connect to the Compass site. You can connect up to 25 organisations.

Screenshot 2024-08-16 at 2.47.53 PM.png

 

You should see your organisation successfully added.

Screenshot 2024-08-16 at 2.49.52 PM.png

 

 

Upon completing the integration setup, Snyk will continuously sync security data with Compass, providing details about vulnerabilities in your component dependencies, container images, and more.

Once connected, the metrics "Open High Vulnerabilities" and "Open Critical Vulnerabilities" are automatically added to Compass. The integration associates these metrics with your components by identifying existing repository links in Compass, locating them in Snyk, and importing the relevant vulnerability counts.

Screenshot 2024-08-20 at 2.08.37 PM.png

 

 

Creating Security Scorecards

Now that you have Snyk connected to Compass, we’re ready to start creating a security scorecard.

Steps to create a security scorecard

  1. In the top navigation menu, select Health

  2. At the top right corner, click the grey button to Create scorecards

Screenshot 2024-08-15 at 3.35.24 PM.png

 

  1. Enter the scorecards' name and description

Screenshot 2024-08-23 at 4.40.49 PM.png

 

  1. To select the owner of the scorecard, start typing the name and select the user from the dropdown list. An owner is someone who is responsible for the engineering standard tracked in the scorecard and can be the point of contact. In this example, it might be someone in your security team. Adding an owner is optional, but we recommend you add one.

Screenshot 2024-09-11 at 10.30.16 AM.png

 

  1. You can choose to apply the scorecard manually or automatically. Manually applying it requires you to individually select each component you want the scorecard to apply to after you’ve created it. If you choose to apply it automatically, you must select at least one component type, which will then make the scorecard available for all components of the chosen type.

Screenshot 2024-08-16 at 11.55.17 AM.png

 

You can further refine how your scorecard is applied by adding additional filters. These filters allow you to specify whether the scorecard should be applied by component label, component tier level, or component team. Simply select the appropriate value from the dropdown menu that appears.

Screenshot 2024-08-16 at 11.57.39 AM.png

Screenshot 2024-08-16 at 12.01.05 PM.png

 

To remove a filter select the X button on the side marked below.

Screenshot 2024-08-16 at 12.27.01 PM-20240816-023006.png

 

When you’re finished setting up the necessary filters, click Next.

 

  1. Next, you need to set up the criteria. You must have at least one criterion. Choose a criterion from the list and assign a percentage that indicates its importance. Ensure that the total percentage for all criteria equals 100%.

    There are two types of criteria you can choose from: fields and metrics. If you opt for a field as your criterion type, select the field you wish to measure from the dropdown menu. Similarly, if you select a metric as your criterion type, choose the metric from the dropdown, and also specify the operator and the value that will trigger the evaluation. Select Add Criterion to keep adding more. Choose the X button in case you need to remove any.

Screenshot 2024-08-23 at 4.43.53 PM.png

 

  1. Finally, select Create. This will create your scorecard with all the behaviours you previously defined. It will also automatically display the statistics for all the components to which this scorecard applies.

Screenshot 2024-08-23 at 4.47.18 PM.png

 

 

 

Get started with your Developer Experience platform using Atlassian Compass!

Start Your Free Trial Now

Click here to begin your journey!

TAGS
AUG Leaders

Atlassian Community Events