August brings us a fresh update to Eficode’s favorite centralized user/groups/access management tool - Eficode ROOT Team Management, now sporting version 2.3.
Ubuntu 22.04 beta support
Eficode ROOT Team Management (RTM) made strides to catch up with recent developments in the realm of operating systems. Ubuntu 22.04 support is actively being worked on by the team and the aim is to have a stable release of the 22.04 version of RTM available to our operations quickly.
UI and audit logs improvements
For a while now we’ve been working on improving the user login experience. The current endless loop shown in case an SSO user is unable to login, while soothing, does a suboptimal task of communicating what the underlying problem is. With the new release info about expired passwords, users being locked or disabled will be shown by the UI. In addition, we are now logging the new authentication failure events better to the audit view (locked, disabled, and expired users).
Moreover, this version also comes with additional features inside its synchronizer - it is now able to handle users with missing IDs differently by skipping them on deactivation/reactivation methods.
Traditionally, you can review the list of changes for this and previous releases on our official docs site: Eficode RTM Releases
GitHub Enterprise 3.5 adds support for custom repository roles, rate limiting for Actions, cache support and much more.
Granular access control with custom repository roles
With custom repository roles, you can now set up more granular repository access permissions within your organization.
An organization owner can create a new custom role with access control configured from a set of over 40 fine grained permissions. Once created, repository admins can assign the custom role to any user, team or outside collaborator in their repository.
Check out the documentation for Managing custom repository roles for an organization at github.com to learn more!
Rate limiting for GitHub Actions
As is the case with all CI/CD systems, the load and demand for runner resources is not static. Sometimes there are “bursts” of jobs, which can result in sustained high load in the runner environment and the build queue backing up. All of this can cause overall performance degradation in your GitHub Enterprise instance, which is never desirable.
To avoid this, it is now possible to set up a rate limit for GitHub Actions requests. The rate limit is expressed in job runs per minute. GitHub Enterprise Server calculates and applies the rate limit for the sum total of all job runs on the instance. If the amount of runs exceeds the rate limit, additional run requests will fail with a “You’ve exceeded the rate limit” message, instead of being entered in the queue.
The rate limiting is disabled by default. But we now have the means to combat performance degradation resulting from sustained Actions load.
More on the topic can be found in Configuring rate limits for GitHub Actions at github.com.
Cache support for GitHub Actions
Speed is of the essence and thus you can now use dependency caching to speed up your GitHub Actions workflows. To cache dependencies for a job, you can include the actions/cache action to create a cache with a unique key. You can share caches across all workflows in the same repository.
Definitely worth a read: Caching dependencies to speed up workflows.
General availability for new features
3.5 brings a wealth of features now made generally available. We’re not going to dissect each of those, but do note there are now, among others, these gems available:
- Reusable workflows that help you reduce duplication by enabling you to reuse an entire workflow as if it were an action.
- OpenID Connect (OIDC) for securing deployments to cloud providers using short-lived tokens (we love short-lived tokens at Eficode).
- Sharing Github Action within your enterprise - innersource automation by sharing actions in internal repositories.
And many more - see Github 3.5 new features list!
GitLab 15 comes in with support for WYSIWYG editor, container scanning in all tiers, nested CI/CD variables and many more exciting features and fixes! GitLab 15.3 is the version we’ll be deploying in August.
WYSIWYG editor for wikis
Time has come to bring more life into your wikis, starting with syntax highlighting for code blocks - support for over 100 languages is provided out of the box. Moreover, working with links and media in the WYSIWYG editor has been simplified with a new popover menu. Give it a whirl, the solution is about collaboration after all!
Container scanning available in all tiers
With GitLab 15, the basic Container Scanning features have been made available in all tiers (Free / Premium / Ultimate ). This should help developers find known security vulnerabilities in their dependencies more easily.
There’s even a short flick about the change: GitLab Container Scanning in all Tiers
Nested CI/CD variables
This feature will make working with dynamic environments even more powerful, as now you’ll be able to use nested variables to define these environments. Previously unavailable, starting in GitLab 15.0, you can nest variables inside other variables, and have them all expand the way you expect. Flexibility galore!
You might find reading through the complete list quite refreshing - GitLab 15.0 key improvements.
The highlights of our August updates of Artifactory and Xray (versions 7.41.6 and 3.52.4, respectively) include support for Terraform repositories and new secure token implementation.
Artifactory can now provide a fully-fledged Terraform repository suite with support for Terraform Modules, Provides and Backend packages.
The Terraform Registry in the JFrog Platform offers secure and private local Terraform Modules and Providers registry, remote repository support for proxying and caching Module and Provider resources from and external source as well as virtual repository support for aggregating multiple local or remote repositories into one logical endpoint, a single URL through which to manage the resolution and deployment of all your Terraform Modules and Providers.
And with the Terraform Backend Repository you can now set up Artifactory to act as a dedicated Remote State Storage Provider for Terraform. It can work both independently of and together with the Terraform Registry repository.
The Backend Repository offers the following features:
- Remote State Storage Provider for Terraform
- Support for multiple Workspaces
- Secure State Encryption storage
- State snapshot history, and
- State content viewer and search
Dive into Terraform Repositories at jfrog.com to find out more!
This release of Artifactory adds a new Identity Tokens implementation which will eventually replace the current API tokens. Identity Tokens are scoped tokens, which means that they can provide more limited permissions to only the resources that are needed, making them more secure than the API tokens which permitted access to everything by default.
With the introduction of the new secure token model, JFrog has also set an expiration date on the less secure API tokens: January 2023. Old API keys will be deprecated and should be replaced with an Identity Token.
Once this Artifactory update has been rolled out and you have the possibility to set up the new tokens, we’ll be publishing a separate “blog” post of what the change means in practice: how to scope the tokens, what’s the change required in typical CI/CD setting and so forth. In the meantime you can naturally check out the JFrog documentation for Identity Token and Generating Scoped Tokens to learn more.
Manage operational risks with Xray
Xray can now provide information about the operational risks related to using open source software components. The operational risks detected by Xray include things like the health of the OSS project (i.e. how actively the component is maintained), age of the component use and the possible obsoletion or end-of-life declaration for a component.
Be sure to check out the Components Operational Risks documentation at jfrog.com to learn more.
The Xray Reports also now have the capability to generate Operational Risk reports as one the report types available. You can also view Operational Risk violations on the Violations report type. For more information, see Xray Reports at jfrog.com.
August also brings us a brand new Jenkins LTS and an updated SonarQube Current.
Jenkins’ monthly treatment
During June and July we’ve been applying minor patches to the 2.332.x LTS line, but as August rolls around so does a new Jenkins LTS: version 2.346.2.
The new LTS continues with the UI modernization by replacing all the PNG and GIF icons with SVG equivalents. There’s a downside to it, unfortunately: whilst most of the actively developed plugins have already been updated to work with SVG icons, there may be others that have not. However it’s nothing to worry about. It’ll be just a matter of some missing icons or images, the plugins themselves will still function normally.
The new LTS also ships with other fixes and enhancements plus there’s the usual monthly plugins update round as well. Given the by-design-uniqueness of Jenkins instances, please do reach out to your friendly Eficode ROOT Support for a full list of changes specific to your ROOT Jenkins snowflake.
SonarQube current release 9.5
In August, the non-LTS Sonarqube offering within ROOT Platform catches up to the latest and greatest Sonarqube released yet - version 9.5. Faster analysis, UI improvements and project analysis tokens should make the wait worthwhile.
Improved issue interface
The updated interface in the release takes the user experience of Issues closer to that of Security Hotspots, with more focus on the particular issue at hand and a more obvious access to the underlying rule description.
Faster analysis for (almost) all
Improved performance has been one of the key ingredients of the SonarQube 9.x release line. Whilst the previous version delivered improvements mainly for Java based analysis, this release will improve the performance for quite a few of us.
Firstly, anyone with a Git-based project will undoubtedly be pleased to hear that SonarQube 9.5 makes the first analysis of a Git-based project up to 60% faster than before with improved retrieval of the initial blame data.
Secondly, in commercial editions of SonarQube, analysis caching and multithreading is now enabled by default for all C and C++ users. Analysis speed will be proportional to the number of files changed and the thread count will automatically scale to the number of CPUs on the build agent, making it possible for C/C++ analysis to complete in record-breaking time!
Project analysis tokens
We’ve mentioned in Github section that we love short-lived tokens at Eficode - similarly, we are very fond of restricted-permissions tokens as well. In previous version of Sonarqube, while tokens could be used to invoke web services without divulging user’s actual credentials, the users only had a single type of token at their disposal. A all-or-nothing type, a.k.a. a “User Token”. With 9.5 users can additionally generate a “Project Analysis Tokens” - which may be used to run analysis on a specific project only and a “Global Analysis Token” which can be used to run analysis on every project.
Definitely a step in the right direction.
Check out the SonarQube 9.5 release announcement at sonarqube.org for more details on what’s new in SonarQube!
Published: August 1, 2022