Currently you will need a Project Manager role to have the rights to create an API key. If you do not have this role, either ask your project manager to provide you with a key or request to be elevated to the Project Manager role by your Account Administrator.
having the correct role, you will see the >ADMINISTRATION section in left side menu. Pick there >SCANNERS and API KEYS topic.
In the following screen you will be able to manage all API keys, see the usage and activate or deactivate the keys.
The screen consists of two sections, allowing to manage different key types:
- Standard API keys - used to access the TrustSource API for executing actions
- Public Release keys - used to pull data associated with a particular software release / version
The other two sections are only for backwards compatibility. With the API v2 also a new handling concept has been introduced. This deprecates the other two sections.
Managing Standard API keys
The first section allows you to add, publish/unpublish, copy or delete API keys. You may limit the capabilities of a key to a particular role. See Roles and rights for more information on TrustSource's role concepts. In addition we do provide usage statistics per key.
In the first step you create a key by using the blue button at the bottom of the section. This generates a new key. You will no be able to see or copy the key, before you did not publish it. Publishing and unpublishing relates to activation and deactivation. Thus it is possible to pause the usage of a key by unpublishing it. You may anytime reactive/publish it again. The naming is a remanence to former usage pattern.
However, you may grant a speaking name to the key. This name will later appear in the logs and across the application. Having a relation to the project or the CI/Cd chain or even a person using it, is a useful idea.
In addition you may limit the usage of the key by assigning one or more roles. A key without a role assigned has all rights. Assigning a role, will limit the key to the right of this particular role. Combining roles, will add the sum of the rights.
Behind each key, you will be able to see, when it has been used the last time. This shall help to identify rarely or long term unused keys. We suggest to review and block (unpublish) such keys in regular cycles.
The chart symbol allows you to open a window showing you the usage statistics of a key. This can be used to assess usage. If for example a key seems to change usage pattern, this might be due to misuse. Thus we suggest to contact the user and - if not possible unpublish the key.
Managing Public Release Keys
Public release keys have been defined, to allow the publication of SBOMs, NoticeFiles, SOUP-Lists or CSAF documents such as VEX to 3rd parties. Whenever you build an application and achieve an approved state, you may decide to create such a Public release Key. This key can accompany the particular release and whom ever will call the TrustSource API using this particular key, will receive the requested documentation: SBOM, NoticeFile, SOUP-list, CSAF-Advisory or VEX.
To create such a key, press the create button. You then may select the approved project/module and version. The key will be associated with this particular version and, hence, the related documents. Pulling such data, will add to your API count.
Comments
0 comments
Please sign in to leave a comment.