Tanzu Platform SaaS

PDF
self.managed.10.1 10.0 saas

Manage and secure Git code repositories

Last Updated February 19, 2025

As an application owner or platform administrator, you need to ensure that the code repositories for your applications are not dependent upon Spring libraries that have reached end of support (EOS) or suffer from security vulnerabilities that require updates. You can onboard and monitor your Git repositories in Tanzu Platform to easily stay current on the status of your libraries in one place.

This topic explains how to manually add a repository as an endpoint in Tanzu Platform, run analysis on it, review results, and hide unwanted repositories.

Adding repositories manually allows you to obtain some information about your repositories, but the analyses might return incomplete results, because not all of your Spring application dependencies are identified. For optimal results, configure Spring applications so that repositories are discovered during application discovery. See Configure your Spring applications for application management in Tanzu Platform for information about how Tanzu Platform discovers Spring applications and their Git repository information.

Add a new Git repository

Before you can run analysis on a repository, you must add it to Tanzu Platform as an endpoint. For onboarding, the repository must be hosted on either GitHub or GitLab.

  1. In the Tanzu Platform UI, go to Administration > Repositories > Git.

    To see the Git option, you must have the Tanzu Platform Administrator role.

  2. Click Add Git Endpoint and enter information about your Git repository.

    • Platform: Select GitLab or GitHub.
    • Endpoint Name: A name for this endpoint, to appear in Tanzu Platform.
    • Repository URL: The address of the repository.
    • Credential Name: A name for the repository credentials.
    • API Access Key: The API access key for the repository.

  3. On the next page, select the platform your repository is hosted on, then enter a name and repository URL.

  4. Add a credential to authenticate with your code repository.

  5. Click Create.

The newly created Git Endpoint will be available in the Git Endpoint List view.

Run analysis on a repository

Once you add a repository, you can run analysis on it to determine the support and vulnerability status of your libraries.

  1. In the Tanzu Platform UI, go to Developer Tools > Repositories.

  2. Locate the repository you added in the list, then click the checkbox next to it.

    You can locate repositories by using the Last Commit Date filter or by searching for name of the repository.

  3. Click ANALYZE NOW to initiate analysis, or ANALYZE DAILY to schedule daily analysis.

  4. Wait for the results to populate.

    You might need to refresh the UI to get the latest state.

    The repositories on this list might provide code to multiple applications. You can explore the relationships in more depth by clicking the Apps count and navigating to the Application view.

Run a repository analysis

Review the results of a repository analysis

After the scan is complete, you can view the repository to see the findings. For a more granular view, you can also click on the repository to see individual libraries.

  1. In the Tanzu Platform UI, go to Developer Tools > Repositories.

    Top Repos with EOS Libraries displays the top five repositories based on maximum benefit that can be achieved with minimum effort. Select the upgrade level between Medium Effort and High Effort, to observe the improvement in EOS libraries.

  2. Top Repos with Vulnerabilities displays the top five repositories based on maximum benefit that can be achieved with minimum effort. Select the upgrade level between Low Effort, Medium Effort and High Effort, to observe the improvement in Vulnerabilities.

  3. Top Recommendations displays repositories with a combination of EOS Libraries and vulnerable libraries that can be fixed with minimum effort.

Repository analysis results

View repository details

You can explore the details of your Git repositories in the Tanzu Platform UI.

  1. In the Developer Tools > Repositories view, click a repository name and open the repository details.

    In the header the following parameters are visible:

    • Name - Name of the repository.

    • Recurring - Whether the assessment is run in recurring mode or not.

    • Date generated - Date on which the assessment was generated.

    • Git Endpoint - Name of the Git endpoint.

    • Apps - Number of apps that are deploying code from this repositories.

    The Summary tab provides widgets you can use to view data about your repository.

    WidgetDescription
    FindingsProvides a summary of Libraries that are out of support and Libraries that contain Vulnerabilities.
    RecommendationsProvides a summary of all libraries that must be upgraded to fix the issues summarized in the Findings widget.
    End of Support analyticsHighlights the current state and a projected state that is possible by upgrading libraries. You can select Medium or High effort and projections are shown accordingly.

    This widget covers Libraries that are currently End of Support, Libraries that will run out of support in three months and Libraries that are in support currently.

    Vulnerability AnalyticsHighlights the current state and a projected state that is possible by upgrading libraries. You can select Low, Medium or High effort and projections are shown accordingly.

    This widget covers vulnerabilities that are Critical, High, Moderate and Low in terms of criticality.

    Spring Runtime Support Status Over TimeHighlights the count of unsupported and supported libraries and how they vary over a period of time.

  2. To download a report in PDF format for a given repository, click on the download button in the top right corner.

  3. To view the details of the libraries in a given repository, select the Libraries tab.

    The Libraries column contains a list of all libraries in the repository and lists their support and vulnerability statuses.

  4. Click on any of libraries in the list to view detailed information about the library and recommended upgrade version.

  5. Based on the findings and recommendations, decide whether you should perform a patch upgrade (1.0.X), minor upgrade (1.X.0), or major upgrade (X.0.0) on the repository.

Hide repository details

You can keep your repository view focused on the most critical items by hiding repositories that are not of interest or associated with your application or team.

  1. In the Tanzu Platform UI, go to Developer Tools > Repositories.

  2. Click the checkbox next to the repositories you want to hide.

  3. Click Hide.

Hidden repositories don’t appear in the default view. You can see them again by clicking the Show Hidden checkbox. When you a hide a repository, note that it is hidden for all users and it does not appear in any of the Top Repo Widgets.