Network and Access Permissions

To ensure Lineaje SCA360 operates seamlessly in environments with strict security controls, specific network endpoints and access permissions must be configured. These settings allow secure communication between SCA360, Lineaje backend services, package repositories, and AWS resources without exposing sensitive data. Proper configuration ensures uninterrupted scanning, SBOM generation, and automation workflows while maintaining compliance with organizational network policies.

Allowlist Network Permissions

If your environment enforces network restrictions, you must allow the following URLs to ensure proper connectivity and functionality:

Service
URLs

Lineaje Backend Services

https://*.v2.prod.veedna.com

Lineaje S3 Locations

https://us-east-1-commercialprod-veedna-opa.s3.amazonaws.com/*

https://us-east-1-commercialprod-veedna-sbomreport-bucket.s3.amazonaws.com/*

https://us-east-1-commercialprod-veedna-datapipeline.s3.amazonaws.com/*

Source Repository

https://github.com

Maven Central (including Gradle)

https://repo.maven.apache.org

https://repo1.maven.org

https://repo.spring.io

https://oss.sonatype.org

https://maven.google.com

https://dl.google.com

npm Registry and JavaScript Registry

https://registry.npmjs.org

Python Package Index (PyPI)

https://pypi.org

Rust Package Repository

https://crates.io

RubyGems Repository

https://rubygems.org

NuGet Gallery

https://api.nuget.org

Go Modules

https://sum.golang.org

https://proxy.golang.org

https://golang.org

https://google.golang.org

https://pkg.go.dev

Vulnerability Lookup

https://*.anchore.io https://toolbox-data.anchore.io/

Required Access Permissions

The following table lists the required access permissions for each resource that SCA360 interacts with during deployment and operation. These permissions ensure secure integration with AWS services and GitHub for scanning, SBOM generation, and automation workflows.

Resource
Purpose
Access Type
Access Permissions

Amazon Simple Storage Service (S3)

To read metadata files stored in the bucket.

IAM Role

These permissions apply to the bucket where the metadata files are stored.

  • s3:GetObject

  • s3:ListBucket

  • Amazon Elastic Compute Cloud (ECR)

    • Amazon Key Management Service (KMS)

  • To pull and push container images from Amazon ECR for scanning and auto-remediation.

    • The purpose of KMS is to read metadata files stored in Amazon S3.

  • Cross-Account IAM Role

    • For KMS, IAM Role (with AWS-managed permissions automatically applied).

These permissions must be granted on the registry (or registries) where Lineaje SCA360 scans images and performs auto-remediation.

  • ecr:GetAuthorizationToken

  • ecr:BatchCheckLayerAvailability

  • ecr:GetDownloadUrlForLayer

  • ecr:BatchGetImage

  • ecr:InitiateLayerUpload

  • ecr:UploadLayerPart

  • ecr:CompleteLayerUpload

  • ecr:PutImage

  • ecr:DescribeRepositories

  • ecr:ListImages

  • ecr:DescribeImages

  • kms:Decrypt

  • kms:DescribeKey

No explicit S3 permissions are required for KMS. AWS automatically grants your IAM role the necessary access when interacting with S3. Explicit permissions are only needed if you use customer-managed encryption keys.

GitHub

To read and write source code from repositories for scanning and auto-remediation.

Personal Access Token (PAT)

These permissions apply to the repository (or repositories) where Lineaje SCA360 scans source code and performs auto-remediation.

  • Contents (read, write)

  • Pull Requests (read, write)

  • Metadata (read)

AWS Secrets Manager

To securely store and retrieve GitHub PAT tokens.

IAM Role

These permissions apply to the secrets where the GitHub PAT is stored.

  • secretsmanager:GetSecretValue

  • secretsmanager:DescribeSecret

PreviousLineaje SCA360 InstallationNextPrerequisites

Last updated