Can policies be pulled from a git repo ?

[fmarot]

Hello,
I'm a user of DependencyTrack (v4) and currently investigating whether investing in a custom tool or not. I saw in a DependencyTrack video on youtube that Hyades would allow to stores policies in a git repo to be pulled by Hyades regularly and applied globally. I particularly love this feature as it would allow me to 'whitelist' vulnerabilities easily on many projects at once (all those project rely on the same low-libraries, hence they often suffer the same vulnerabilities).
Is this feature already implemented ?

[nscuro]

Hey, thanks for reaching out!

Is this feature already implemented ?

Generally yes, the vulnerability policy feature is implemented and functional. What's still missing is documentation (#997), and some demo setups that make it easy to test it out.

At the moment, policies can be fetched from any HTTP fileserver (e.g. NGINX), or blob storage services that support the S3 API (e.g. AWS S3, Minio). All a source does is to host a ZIP file (policy bundle), that contains zero or more policy YAMLs. You can find the initial design discussion here, including some flow diagrams.

Note that most Git solutions provide a way to download repository branches as ZIP files. So, in a way, Git is already supported.