Skip to main content

Policy Management

Overview

Policy Management is a mechanism to identify security risks across projects and scans.

Organizations often handle hundreds or even thousands of projects that undergo daily scans, with each project generating distinct scan results. To pinpoint projects with specific types of results, security engineers must manually review and prioritize findings.

By using policies, organizations can easily detect projects that violate their established security rules. For example, an organization may want to understand whether specific projects contain any high-severity findings from static code analysis or feature particular types of open-source packages, such as the recent log4j concerns.

Policy Management does not stop at identification alone; it enables organizations to develop automated responses for project violations, for example, to block a software build if it is violating a policy.

Once a scan is completed, the policies associated with the respective projects are assessed. These policies are then matched against the findings from the scan results.

Checkmarx One generates and maintains an incident report containing details of projects that violated policies during the scan. In upcoming versions, it will be possible to automate email notifications regarding these violations.

Creating a Policy

This section explains how to create a policy to flag specific situations requiring attention.

For each policy, you will define a set of rules that outline a custom compliance threshold. Each rule, in its turn, will include one or more condition sets that describe specific vulnerabilities associated with the policy.

Currently, policies can be created for the following scanners:

Figure 1. 
Creating_Policies_1.gif

GIF - How to create a new Policy



Policy Details

To create a policy, perform the following:

  1. Click on the Policy Management icon Policy_Settings.png.

  2. Click on Create New Policy.

  3. In the Policy Details screen, provide the following information:

    • Policy Name - Name the policy.

    • Description (optional) - Add a description.

    • Set policy as default for new and existing projects (optional) - If checked, the policy will be set as default for both new and existing projects.

    • Associated Tags (optional) - Assign project tags to the policy.

    • Click Save & Continue

      Policy_Details.png

    Action upon Violations section is added to the screen.

Creating a SAST Policy

In the Action upon Violations section perform the following:

  1. Break the build - Breaks the software build for a scanned repository that violates the configured rules.

  2. Send a notification via Email - Send an email to the recipients about violated projects.

  3. Rules - Click Select Scanner > SAST

    Select_SAST_Scanner.png

  4. Click + Add Rule

    The Add a SAST Rule pane appears on the right side of the screen.

In the Add a SAST Rule pane, perform the following:

  1. Rule Name - Name the rule.

  2. Rule Definition - Entity Type > Select Entity > Vulnerability

    Add_SAST_Rule.png

  3. Click + Add Condition

  4. Configure the following:

    • Rule Subject:

      • Severity - High/Medium/Low/Info

        or

      • Result Status - New/Recurrent

    • Operator: > / >= / < / <= / =

    • Value: Numeric value

      Add_SAST_Rule2.png

    Note

    • It is possible to configure more than one rule.

    • Entities and conditions are linked by an AND relationship. This means that all specified conditions must be met simultaneously for the associated entities to be considered.

  5. Click Save

    The Add a SAST Rule pane is closed and the rule is added.

  6. Projects - Click + Assign to Projects

    The Select Projects to Assign pane is opened.

  7. Assign a project to the policy.

    Note

    It is possible to search for projects using the Search field.

    Select_Projects_to_Assign.png

  8. Click Assign Projects

  9. Click Save Policy

Creating an IaC Security Policy

In the Action upon Violations section perform the following:

  1. Break the build - Breaks the software build for a scanned repository that violates the configured rules.

  2. Send a notification via Email - Send an email to the recipients about violated projects.

  3. Rules - Click Select Scanner > IaC Security

    Select_IaC_Security_Scanner.png

  4. Click + Add Rule

    Add a IaC Security Rule pane is opened on the right screen side.

In the Add an IaC Security Rule pane, perform the following:

  1. Rule Name - Name the rule.

  2. Rule Definition - Entity Type > Select Entity > Vulnerability

    Add_IaC_Security_Rule.png

  3. Click + Add Condition

  4. Configure the following:

    • Rule Subject:

      • Severity - High/Medium/Low

        or

      • Result Status - New/Recurrent

    • Operator: > / >= / < / <= / =

    • Value: Numeric value

      Add_IaC_Security_Rule2.png

    Note

    • It is possible to configure more than one rule.

    • Entities and conditions are linked by an AND relationship. This means that all specified conditions must be met simultaneously for the associated entities to be considered.

  5. Click Save

    The Add an IaC Security Rule pane is closed and the rule is added.

  6. Projects - Click + Assign to Projects

    The Select Projects to Assign pane is opened.

  7. Assign a project to the policy.

    Note

    It is possible to search for projects using the Search field.

    Select_Projects_to_Assign.png

  8. Click Assign Projects

  9. Click Save Policy

Policies and Incidents

After a policy is created and saved, two tables are presented.

  • Policies - Contains all the configured policies.

    When hovering on a policy, an ellipsis More_Options.png appears on the right side.

    It is possible to perform the following actions for every policy:

    • Edit the policy

    • Delete the policy

    • Pin the policy - Pin the policy to the top of the table.

      Policies_More_Options.png

  • Incidents - Contains all the incidents where policies were violated.

In this section: