Gerrit Code Review
OX Security integrates with Gerrit Code Review—an extensible, self-hosted code review and Git repository management platform designed for organizations seeking fine-grained control over code submissions. Connecting Gerrit enables deep security scanning of code and pull request workflows while keeping repositories behind your firewall.
Why Connect Gerrit to OX Security
Integrating Gerrit with OX brings key benefits:
Full SAST, secrets scanning, SCA, and IaC analysis applied directly to changes under review.
Instant insights mapped to Gerrit changes, patchsets, and reviews.
Works completely in offline or on-premises environments—even behind strict network restrictions.
Bridges review workflows and security operations without external cloud dependencies.
Connection Methods and Security Considerations
OX supports the following authentication styles for Gerrit integrations.
Basic Authentication (Username and Password or API Token)
Security Considerations:
Requires storing credentials or tokens within OX Connector settings.
Credentials may be scoped to read-only; privilege escalation risk exists if access is not controlled.
For minimal risk, use least-privileged service accounts and rotate credentials periodically.
Setup Steps:
Open the Gerrit Code Review connector in the OX UI.
Choose the Basic Auth / Token method.
Provide your Gerrit server URL (HTTP or HTTPS).
Enter the username and password or API token.
Click Connect. Ensure OX has access to your Gerrit instance (e.g. VPN, firewall rules).
OAuth or Single Sign-On (if supported)
Security Considerations:
Some Gerrit deployments support SSO providers (e.g. OpenID, SAML).
OAuth flows avoid storing credentials in OX directly.
Enforces enterprise SSO policies such as MFA or centralized access control.
Setup Steps:
In the connector UI, select the OAuth / Identity Provider option.
Authenticate via your SSO provider (e.g. OpenID).
Grant OX requested access to read Gerrit project and review data.
Note: OAuth support may require custom Gerrit plugins or specific server configurations.
Repository and Change Discovery
Upon successful connection:
OX automatically scans projects and repositories managed by Gerrit.
Integrates with Gerrit change events to analyze patchsets before merging.
Administrators can select which projects to include in scanning or configure automatic inclusion of new ones.
OX does not require public access to the Gerrit instance; all scanning data stays within your network.
Recommended Best Practices
If supported, prefer OAuth or SSO-based authentication to reduce credential management risks.
If using Basic Auth, ensure credentials are scoped to read-only, rotated regularly, and stored securely.
Use a dedicated service account limited only to repository and changes preview access.
Ensure network connectivity allows for consistent scanning (e.g. firewall rules, VPN, reverse proxy).
Periodically review access logs and connector configurations to validate least-privilege compliance.
Summary Table
OAuth / SSO
Very Low
Yes
Recommended if available
Basic Auth / Token
Medium to High
Use service account
Rotate frequently and scope minimally
Security Posture
By integrating Gerrit into your OX instance, security scanning is brought into the code review workflow, enabling developers and reviewers to detect and remediate issues early. OX gathers commit history, project metadata, and patchset content for visibility into security risk across your codebase. Proper connector configuration ensures tight alignment with enterprise security policies and infrastructure restrictions.
Last updated