Oracle Cloud Infrastructure Documentation

Creating a Remediation Recipe

Create a remediation recipe.

  • You must create at least one Knowledge Base. See Creating a Knowledge Base.

    1. On the Remediation Recipes list page, select Create remediation recipe. If you need help finding the list page, see Listing Remediation Recipes.
    2. Enter the following information:
      1. A name for the remediation recipe.
      2. Select a compartment from the list of compartments.
    3. To configure the remediation recipe, enter the following information:
      1. Select a knowledge base compartment from the list of compartments.
      2. Select a knowledge base from the list.
      3. You can select to automatically trigger a run when vulnerabilities are added or changed in the knowledge base.
      4. For Source Code Management, select a code repository. You can select a DevOps code repository, GitLab or GitHub repository. Enter the following information:
        1. For DevOps code repository, select a repository.
        2. For GitLab and GitHub, enter the repository URL and username. Select the vault and secret to retrieve the GitLab or GitHub personal access token to connect to the repository.

          See Configuring Source Code Management.

        3. Enter a branch name and build file location. See Build Specification.
        4. To merge the pull request automatically if the verify stage succeeds, enable Auto-Merge.
      5. For the Detect stage, select the maximum permissible severity. Options include, Critical, High, Medium, Low, None, and Use CVSS Scores.

        If you select the Use CVSS Scores option, then you must enter the max permissible v2 and v3 scores. Vulnerabilities with CVSS v2 and v3 scores less than the mentioned score are excluded in vulnerability audit and remediation.

      6. Add application dependencies to be excluded. You can add artifact identifiers (purl or GAV). Use asterisk (*) as wildcard at the end of the exclusion identifiers, for example, com.*).
      7. For the Verify stage, select a build service to verify the recommended app dependency changes. You can select from the following options:
        1. DevOps build pipeline: Select a build pipeline. See Configuring a Build Pipeline.
        2. GitLab pipeline: Enter the main URL of project you want to use in the external source code management service and username. Select the vault and secret to retrieve the personal access token and trigger token. See Configuring GitLab Pipeline.
        3. GitHub action: Enter the main URL of project you want to use in the external source code management service and username. Select the vault and secret to retrieve the personal access token. Enter the GitHub action workflow file name. See Configuring GitHub Actions Workflow.
        4. Jenkins pipeline: Enter URL of the Jenkins server to use and username. Select the vault and secret to retrieve the personal access token. Enter the Jenkins name for the job to run.
        5. None: Select if you don't want to verify recommendations in the remediation run.
      8. For network configuration, select a Virtual cloud network and a Subnet to access the repository, verify pipeline services, and application dependency knowledge base.
    4. Select Create.
    The new remediation recipe is added to the Remediation Recipe dashboard.

  • Use the oci adm remediation-recipe create command and required parameters to create a remediation recipe:

    oci adm remediation-recipe create --compartment-id <compartment_id> --knowledge-base-id <knowledge_base_id> -scmConfiguration <scm_configuration> -mergeConfiguration <merge_configuration> -patchVulnerabilityConfiguration <patch_vulnerability_configuration>

    For a complete list of flags and variable options for CLI commands, see the CLI Command Reference.

  • Use the CreateRemediationRecipe operation to create a remediation recipe.