Skip to main content

ASPM v1.5.0

I. Highlights

FPT Smart Cloud introduces a new version of AppSec in the FPT Security Platform (FSP) with the ability to enforce security controls directly in the MR/PR workflow through Security Gate.

This release adds automated PASS/FAIL evaluation based on scan results and configurable thresholds per scan type — Code Analysis, Secret Scanning, and IaC Scanning — preventing source code with vulnerabilities or secrets above allowed thresholds from being merged. The system also supports merge scan mode via CI/CD pipeline, provides cURL examples for MR/PR scan, and returns results through the API for DevSecOps integration.


II. Released Features

1. MR/PR Scan

a. Description

Lets users trigger MR/PR scans via CI/CD pipeline to check the security of source code before merging into the main branch. This release adds merge scan mode for evaluating scan results directly within the MR/PR flow.

b. Features

  • Trigger MR/PR scans via CI/CD pipeline
  • Merge scan mode for MR/PR workflows
  • cURL examples for merge scan mode: Scan Code and Scan Secret
  • Scan results returned via API for CI/CD pipeline integration
  • PASS/FAIL evaluation when combined with Security Gate

c. Capacity

  • Simultaneous scanning of multiple MR/PR requests
  • Integration with multiple CI/CD pipeline types
  • Multiple security scan types within a single MR/PR workflow

d. Performance

  • Fast scan triggering via API
  • Scan results returned automatically in the pipeline
  • Optimized scan processing for MR/PR workflows

2. Security Gate

a. Description

Security Gate controls source code security before merging MR/PR by applying configurable Security Conditions. The system evaluates scan results against configured thresholds to determine PASS or FAIL for each MR/PR.

b. Features

  • Enable / Disable Security Gate per organization
  • Security Gate status display: Active / Inactive
  • Evaluate MR/PR scans against configured Security Conditions
  • Configure thresholds per scan type:
    • Code Analysis
    • Secret Scanning
    • IaC Scanning
  • Configure thresholds per severity: Max Criticals, Max Highs, Max Mediums, Max Lows
  • Edit Security Gate configuration
  • Apply Security Gate to a list of repositories
  • Search repositories by repository path
  • Auto-apply Security Gate to newly scanned repositories
  • Confirmation popup when enabling / disabling Security Gate
  • Return PASS/FAIL results via API in CI/CD pipeline
  • Display Security Gate status in Asset Management and Asset Detail → Overview tab

c. Capacity

  • Manage and apply Security Gate to multiple repositories
  • Multiple security scan types simultaneously within a single policy
  • Process MR/PR scans within configured repository scope

d. Performance

  • Fast Security Gate screen load time
  • Fast Enable / Disable status updates
  • Optimized display of repository lists and security conditions
  • MR/PR evaluation processed automatically based on current Security Gate configuration