Configure Repositories in the Dashboard

In this section we’ll demonstrate how to customize the behavior of DryRun Security by creating a Configuration in the Dashboard.

Log in the the DryRun Security portal at https://app.dryrun.security (opens in a new tab).

Navigate to the Settings > Configuration section.

Note: the default configuration is editable and it applies to all Repositories that are not included in another configuration.

Click Add new Configuration +

Setup the new configuration using the following steps:

1. Enter a name for the configuration in the box labeled Enter Configuration Name...
2. Use the selector labeled Select Repositories to choose the Repositories that will use this Configuration

Note: Repositories can only have a single Configuration. Repositories that are greyed out are included in a different configuration.

3. Enable or Disable the DryRun Security Pull Request Comment

4. Enable or Disable Notifications. If enabled, choose the Integrations that will be applied.

5. Add a Custom Code Policy by clicking Add Existing + and choosing a option from the dropdown. Up to five Code Policies may be added to the Configuration.

Note: To create a Code Policy and make it available to use in a Configuration follow the steps in Create a Natural Language Code Policy (opens in a new tab)

6. Configure the Custom Code Policies

• Enable Blocking to fail the Check in GitHub. The Risk Level will automatically be set to Failing. This setting along with GitHub Branch Protection Rules can be used to Block merging of a Pull Request. Note: see Configure Blocking for Code Policies
• Enable Silent Mode to prevent results from appearing in the DryRun Security Pull Request comment. Results will still be available in the DryRun Security Dashboard.
• Choose a Risk Level returned by the Policy when it has Findings. Options are Info, Risky and Fail. This can be used to search across Pull Requests or to trigger Notifications.

7. Configure the Core Code Policies

• Enable Blocking to fail the Check in GitHub. The Risk Level will automatically be set to Failing. This setting along with GitHub Branch Protection Rules can be used to Block merging of a Pull Request. Note: see Configure Blocking for Code Policies
• Enable Silent Mode to prevent display of a Check in GitHub. Results will still be available in the DryRun Security Dashboard, but will not show as a GitHub Check.
• Choose a Risk Level returned by the Policy when it has Findings. Options are Info, Risky and Fail. This can be used to search across Pull Requests or to trigger Notifications.

8. Click Save

Done!

The Configuration will now be used by DryRun Security when it executes in the selected Repositories.

Configure Blocking for Code Policies

Both Natural Language Code Policies and Core Code Policies can be used along with Branch protection rules to block merging into a code base. After setting the Code Policies to Blocking, follow these steps to block merges with a Branch Protection Rule.

Set up a Classic Branch Protection Rule

Note: This guide shows the minimum steps to use Code Policies and Branch Protection to Block a merge. (see GitHub Documentation for more details (opens in a new tab))

On GitHub, navigate to the main page of the repository.

Under your repository name, click Settings.

In the Code and automation section of the sidebar, click Branches.

Choose Add classic branch protection rule.

Under Branch name pattern, type the name of the branch to protect. For example, main below.

Select Require status checks to pass before merging.

In the search field, search for the DryRun Security status checks to require. Choose Code Policies for Natural Language Code Policies or the name of the Policy for Core Code Policies, for example Secrets Analyzer.

The configuration below shows Code Policies, Secrets Analyzer and SQL Injection Analyzer as required for this Rule.

Click Create to create and save this Branch Protection Rule.

Done!

Now, as changes are made to the code base and DryRun Security runs, the Checks will execute and potentially block merging.

When a Natural Language Code Policy has Blocking enabled, it will appear as a single Check in GitHub under the name Code Policies as below.

When a Core Code Policy has Blocking enabled, it will appear a a single Check in GitHub with the name of the policy. For example, Secrets Analyzer below.

Click the name of the Check or more details under the ... for more details about the Status Check.