ASPM v1.5.0
I. Highlights
FPT Smart Cloud introduces a new version of AppSec in the FPT Security Platform (FSP) with the ability to enforce security controls directly in the MR/PR workflow through Security Gate.
This release adds automated PASS/FAIL evaluation based on scan results and configurable thresholds per scan type — Code Analysis, Secret Scanning, and IaC Scanning — preventing source code with vulnerabilities or secrets above allowed thresholds from being merged. The system also supports merge scan mode via CI/CD pipeline, provides cURL examples for MR/PR scan, and returns results through the API for DevSecOps integration.
II. Released Features
1. MR/PR Scan
a. Description
Lets users trigger MR/PR scans via CI/CD pipeline to check the security of source code before merging into the main branch. This release adds merge scan mode for evaluating scan results directly within the MR/PR flow.
b. Features
- Trigger MR/PR scans via CI/CD pipeline
- Merge scan mode for MR/PR workflows
- cURL examples for merge scan mode: Scan Code and Scan Secret
- Scan results returned via API for CI/CD pipeline integration
- PASS/FAIL evaluation when combined with Security Gate
c. Capacity
- Simultaneous scanning of multiple MR/PR requests
- Integration with multiple CI/CD pipeline types
- Multiple security scan types within a single MR/PR workflow
d. Performance
- Fast scan triggering via API
- Scan results returned automatically in the pipeline
- Optimized scan processing for MR/PR workflows
2. Security Gate
a. Description
Security Gate controls source code security before merging MR/PR by applying configurable Security Conditions. The system evaluates scan results against configured thresholds to determine PASS or FAIL for each MR/PR.
b. Features
- Enable / Disable Security Gate per organization
- Security Gate status display: Active / Inactive
- Evaluate MR/PR scans against configured Security Conditions
- Configure thresholds per scan type:
- Code Analysis
- Secret Scanning
- IaC Scanning
- Configure thresholds per severity: Max Criticals, Max Highs, Max Mediums, Max Lows
- Edit Security Gate configuration
- Apply Security Gate to a list of repositories
- Search repositories by repository path
- Auto-apply Security Gate to newly scanned repositories
- Confirmation popup when enabling / disabling Security Gate
- Return PASS/FAIL results via API in CI/CD pipeline
- Display Security Gate status in Asset Management and Asset Detail → Overview tab
c. Capacity
- Manage and apply Security Gate to multiple repositories
- Multiple security scan types simultaneously within a single policy
- Process MR/PR scans within configured repository scope
d. Performance
- Fast Security Gate screen load time
- Fast Enable / Disable status updates
- Optimized display of repository lists and security conditions
- MR/PR evaluation processed automatically based on current Security Gate configuration