# Gerrit Code Review OX Security integrates with Gerrit Code Review—an extensible, self-hosted code review and Git repository management platform designed for organizations seeking fine-grained control over code submissions. Connecting Gerrit enables deep security scanning of code and pull request workflows while keeping repositories behind your firewall. ## Why Connect Gerrit to OX Security Integrating Gerrit with OX brings key benefits: * Full SAST, secrets scanning, SCA, and IaC analysis applied directly to changes under review. * Instant insights mapped to Gerrit changes, patchsets, and reviews. * Works completely in offline or on-premises environments—even behind strict network restrictions. * Bridges review workflows and security operations without external cloud dependencies. ## Connection Methods and Security Considerations OX supports the following authentication styles for Gerrit integrations. ### Basic Authentication (Username and Password or API Token) Security Considerations: * Requires storing credentials or tokens within OX Connector settings. * Credentials may be scoped to read-only; privilege escalation risk exists if access is not controlled. * For minimal risk, use least-privileged service accounts and rotate credentials periodically. Setup Steps: 1. Open the Gerrit Code Review connector in the OX UI. 2. Choose the Basic Auth / Token method. 3. Provide your Gerrit server URL (HTTP or HTTPS). 4. Enter the username and password or API token. 5. Click Connect. Ensure OX has access to your Gerrit instance (e.g. VPN, firewall rules). ### OAuth or Single Sign-On (if supported) Security Considerations: * Some Gerrit deployments support SSO providers (e.g. OpenID, SAML). * OAuth flows avoid storing credentials in OX directly. * Enforces enterprise SSO policies such as MFA or centralized access control. Setup Steps: 1. In the connector UI, select the OAuth / Identity Provider option. 2. Authenticate via your SSO provider (e.g. OpenID). 3. Grant OX requested access to read Gerrit project and review data. Note: OAuth support may require custom Gerrit plugins or specific server configurations. ## Repository and Change Discovery Upon successful connection: * OX automatically scans projects and repositories managed by Gerrit. * Integrates with Gerrit change events to analyze patchsets before merging. * Administrators can select which projects to include in scanning or configure automatic inclusion of new ones. OX does not require public access to the Gerrit instance; all scanning data stays within your network. ## Recommended Best Practices * If supported, prefer OAuth or SSO-based authentication to reduce credential management risks. * If using Basic Auth, ensure credentials are scoped to read-only, rotated regularly, and stored securely. * Use a dedicated service account limited only to repository and changes preview access. * Ensure network connectivity allows for consistent scanning (e.g. firewall rules, VPN, reverse proxy). * Periodically review access logs and connector configurations to validate least-privilege compliance. ## Summary Table | Method | Credential Risk | Least Privileged | Notes | | ------------------ | --------------- | ------------------- | ------------------------------------- | | OAuth / SSO | Very Low | Yes | Recommended if available | | Basic Auth / Token | Medium to High | Use service account | Rotate frequently and scope minimally | ## Security Posture By integrating Gerrit into your OX instance, security scanning is brought into the code review workflow, enabling developers and reviewers to detect and remediate issues early. OX gathers commit history, project metadata, and patchset content for visibility into security risk across your codebase. Proper connector configuration ensures tight alignment with enterprise security policies and infrastructure restrictions. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.ox.security/get-started/onboarding-to-ox/source-control/gerrit-code-review.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.