- Checkmarx Documentation
- Checkmarx One
- Checkmarx One User Guide
- Policy Management
Policy Management
Overview
Policy Management is a mechanism to identify security risks across projects and scans.
Organizations often handle hundreds or even thousands of projects that undergo daily scans, with each project generating distinct scan results. To pinpoint projects with specific types of results, security engineers must manually review and prioritize findings.
By using policies, organizations can easily detect projects that violate their established security rules. For example, an organization may want to understand whether specific projects contain any high-severity findings from static code analysis or feature particular types of open-source packages, such as the recent log4j concerns.
Policy Management does not stop at identification alone; it enables organizations to develop automated responses for project violations, for example, to block a software build if it is violating a policy.
Once a scan is completed, the policies associated with the respective projects are assessed. These policies are then matched against the findings from the scan results.
Checkmarx One generates and maintains an incident report containing details of projects that violated policies during the scan. In upcoming versions, it will be possible to automate email notifications regarding these violations.
Policy Configuration
This section explains creating a policy to flag specific situations requiring attention.
You will define rules for each policy that outline a custom compliance threshold. Each rule, in turn, will include one or more condition sets that describe specific vulnerabilities associated with the policy. Options for configuring conditions differ according to the scanner for which the rule is being created.
Currently, policies can be created for the following scanners:
SAST scanner - SAST Policy Conditions
SCA scanner - SCA Policy Conditions
IaC Security scanner - IaC Security Policy Conditions
Creating a Policy
To create a policy, perform the following:
In the main menu, select Scan Management > Policies.
Click on Create New Policy.
In the Policy Details section, provide the following information:
Policy Name - Enter a name for the policy.
Description (optional) - Add a description.
Associated Tags (optional) - Click to expand the display, and then enter the desired tags for the policy.
Click Save & Continue
The Action upon Violations section is shown on the screen.
You can select the Break the build checkbox if you would like to break software builds for a scanned repository that violates the configured rules.
Note
This functionality might not yet be available in your production environment.
Add one or more Rules, as follows:
Each rule specifies conditions related to a specific scanner that will constitute a policy violation. The possible types of conditions are described below.
Click on Select Scanner to open the dropdown menu, and select the scanner for which you would like to add a rule.
Click on + Add Rule,
The rule configuration panel opens on the right side of the screen.
In the Rule Name field, enter a name for the rule.
Click + Add Condition and configure the condition. Options for condition configuration differ according to the scanner for which the rule is being created. The configuration options for each scanner are described below.
Assign the policy to one or more Projects as follows:
Click + Assign to Projects.
The Select Projects to Assign panel opens on the right side of the screen.
Select the checkbox next to each project you would like to assign.
Note
It is possible to search for projects using the Search field. You can also select the Select All in View option to select all currently loaded projects.
Click Assign Projects.
Click Save Policy.
The policy is created and activated.
Configuring Policy Conditions
Each policy rule consists of one or more conditions. If all policy conditions are violated for any rule, then the policy is considered violated. Each policy rule relates to results from a particular scanner. The possible types of conditions that can be configured differ for each scanner. The following sections explain the options for configuring conditions for each scanner.
SAST Policy Conditions
In the Rule Definition section, click Select Entity, and select the desired entity from the dropdown list. Currently, the only supported type is Vulnerability.
Click + Add Condition
Configure the following:
Rule Subject:
Severity - High/Medium/Low/Info
or
Result Status - New/Recurrent
Operator: > / >= / < / <= / =
Value: Numeric value
Notice
For example, if for Entity Type Vulnerability, you set the Rule Subject as High, Operator as ">", and Value as 2. Then a project with 3 or more High severity SAST vulnerabilities will be in violation of this rule.
Note
It is possible to configure more than one rule.
Entities and conditions are linked by an AND relationship. This means that all specified conditions must be met simultaneously for the associated entities to be considered.
SCA Policy Conditions
The following sections describe the various types of SCA policy conditions that can be configured.
Package Conditions
Type | Description | Values specified |
---|---|---|
Is Used | The rule applies only to packages that are being used in the project. TipThis is only supported for Projects for which the Exploitable Path feature is supported. | none |
Is Outdated | The rule applies only to packages for which a more recent version is available. | none |
Named | The rule applies only to the packages with the specified name. | Specify the full name of the package. |
Name Contains | The rule applies only to packages that have the specified string in their name. | Specify a string that is contained in the package name. |
Version is Higher than | The rule applies only to packages with a version higher than the specified version. | Specify the version number that it must be higher than. |
Version is Lower than | The rule applies only to packages with a version lower than the specified version. | Specify the version number that it must be lower than. |
Is not a Dev dependency | The rule only applies to packages that aren’t Dev dependencies. | none |
Is not a Test dependency | The rule only applies to packages that aren’t Test dependencies. | none |
Is a Direct dependency | The rule only applies to Direct dependencies (not to Transitive dependencies). | none |
Is Malicious | The rule only applies to packages that are identified as Malicious Supply Chain vulnerabilities. | none |
Vulnerability Conditions
Type | Description | Values specified |
---|---|---|
has Exploitable Path | There is an Exploitable Path by which the vulnerable methods are actually used by your code. See Exploitable Path TipThis is only supported for Projects in which the Exploitable Path feature is activated. | none |
has a Remediation Recommendation | Checkmarx offers a remediation recommendation for eliminating the vulnerability from your Project. See Remediation Tasks Tab TipThis is only supported for Projects in which the Exploitable Path feature is activated. | none |
CVSS score is greater than or equal to | The CVSS score of the vulnerability is greater than or equal to the specified value. TipThe latest available CVSS version is used for this assessment. | Specify the minimum CVSS score for this condition. |
Severity level is | The vulnerability has the specified severity level. | Select one or more severity levels (High, Medium, Low) for the vulnerabilities in this condition. |
CWE Category | The vulnerability has the specified CWE. | Specify the number of the CWE. |
CVE ID is | The vulnerability has the specified CVE ID. | Specify a CVE ID, e.g., CVE-2019-2391. |
number of Days Since Publication is greater than | The number of days since the vulnerability was published is greater than the specified value. | Specify the number of days that the value must be greater than. |
Supply Chain Risk Conditions
Type | Description | Values specified |
---|---|---|
Severity level is | The vulnerability has the specified severity level. | Select one or more severity levels (High, Medium, Low) for the vulnerabilities in this condition. |
License Conditions
Type | Description | Values specified |
---|---|---|
Named | Specify one or more specific licenses for this condition. | Select one or more licenses from the dropdown list of licenses in your account. |
Legal Risk level is | The Legal Risk has the specified severity level. | Select one or more severity levels (High, Medium, Low) for this condition. |
IaC Security Policy Conditions
In the Rule Definition section, click on Select Entity, and and then select the desired entity from the dropdown list. Currently, the only supported type is Vulnerability.
Click + Add Condition
Configure the following:
Rule Subject:
Severity - High/Medium/Low
or
Result Status - New/Recurrent
Operator: > / >= / < / <= / =
Value: Numeric value
Notice
For example, if for Entity Type Vulnerability, you set the Rule Subject as High, Operator as ">", and Value as 2. Then a project with 3 or more High severity IaC Security vulnerabilities will be in violation of this rule.
Note
It is possible to configure more than one rule.
Entities and conditions are linked by an AND relationship. This means that all specified conditions must be met simultaneously for the associated entities to be considered.
Viewing Policies and Incidents
After a policy is created and saved, two tables are presented.
Policies - Contains all the configured policies.
When hovering on a policy, an ellipsis appears on the right side.
It is possible to perform the following actions for each policy:
Edit the policy
Delete the policy
Pin the policy - Pin the policy to the top of the table.
Incidents - Shows all of the incidents in which policies were violated.