Many large enterprises employ thousands of employees distributed around numerous facilities distributed throughout the world. As part of normal business operations, numerous types of persistent artifacts or objects may be generated in different parts of the enterprise, and stored in corresponding persistent repositories. At enterprises that implement network-accessible services (such as various types of cloud-based computing services and/or storage services), for example, such artifacts may include source code files used for the implementation of different services, account records, network configuration records, server or host configuration records and the like. In some cases, hundreds of thousands of such artifacts, or even millions of such artifacts may eventually reside in various artifact repositories as new projects are implemented to support various business goals.
In at least some enterprises, information security departments may be established, responsible for ensuring that the artifacts meet various security-related criteria. For example, as more and more network-based attacks (such as denial-of-service or DOS attacks, malware-based attacks and the like) are directed to business entities, it has become increasingly important to ensure that the software packages being used at an enterprise do not use out-of-date or unpatched networking code that may be vulnerable to such attacks. Similarly, an information security department may be charged with ensuring that the user accounts that could potentially be used to access various resources of the enterprise meet certain policy-defined criteria—e.g., that bogus accounts are not created and provided with permissions to sensitive business data, that secure passwords are used, or that passwords are changed periodically.
A number of different techniques have conventionally been used to try to enforce artifact security and quality objectives. For example, the text of all the files of a given source code repository may be scanned periodically to check for the use of vulnerable libraries or algorithms, and corrective actions may be triggered for those files that are tagged as policy violators. In some cases, because of the large numbers of artifacts involved, the policy violation detection operations as well as the corrective actions may require non-trivial amounts of resources and/or time. Furthermore, at least some of the artifacts that are flagged as policy violators using such techniques may be “false positives” that do not necessarily require corrective actions to be taken.
While embodiments are described herein by way of example for several embodiments and illustrative drawings, those skilled in the art will recognize that embodiments are not limited to the embodiments or drawings described. It should be understood, that the drawings and detailed description thereto are not intended to limit embodiments to the particular form disclosed, but on the contrary, the intention is to cover all modifications, equivalents and alternatives falling within the spirit and scope as defined by the appended claims. The headings used herein are for organizational purposes only and are not meant to be used to limit the scope of the description or the claims. As used throughout this application, the word “may” is used in a permissive sense (i.e., meaning having the potential to), rather than the mandatory sense (i.e., meaning must). Similarly, the words “include,” “including,” and “includes” mean including, but not limited to.