Policy Management
Overview
Policy Management is a mechanism to determine the security risks throughout projects and scans.
Organizations can have hundreds/thousands of projects that are being scanned on daily basis, and each project contains different scan results. To understand which projects contain specific result types, a security engineer needs to go over the findings manually and prioritize them.
By using policies, organizations can easily identify which projects were violated according to the security policies that they created.
For example: an organization wants to understand if specific projects contain any high severity findings for static code analysis, or a specific type of open-source package (log4j for instance). The same applies to IaC (Infrastructure as Code) Security, API Security, etc.
The purpose of the feature is to assist organizations build automation on top of the violated projects findings. For example, to block a build* due to policy violations.
The policies are evaluated on projects that they are attached to when the scan has finished. The policies are then evaluated with the scan results findings.
Checkmarx One creates and maintains an incident report with all the violated projects that happened during the scan or sends an email notification* about them.
Policy management workflow:
Checkmarx One waits for a scan that is finished.
Checks if there is a policy attached to the project of the scan.
Evaluate the rules of the policy.
Create an incident report with all the violated projects or send an email notification about them.
Note
This feature is not available in the current version.
Blocks a build if enabled - This feature is not available in the current version
Note
This feature is not available in the current version.
Creating a Policy
Create a Policy to flag specific situations that you want to call attention to. For Policy, specify a series of rules that define a custom compliance threshold.
Each rule includes one or more “sets” of conditions. For each set of conditions you can specify which vulnerabilities the policy relates to.
It is possible to create a policy for the following scanners:
SAST scanner - Creating a SAST Policy
IaC Security scanner - Creating an IaC Security Policy
Policy Details
To create a policy, perform the following:
Click on Policy Management icon
Click on Create New Policy
In the Policy Details screen, perform the following:
Policy Name - Name the policy.
Description (optional) - Add a description.
Set policy as default for new and existing projects (optional) - Automatically attaches all existing and new projects to the policy.
Associated Tags (optional) - Assign project tags to the policy.
Click Save & Continue
Action upon Violations section is added to the screen.
Creating a SAST Policy
Break the build - Breaks the build of the scanned repository that violated the configured rules.
Send a notification via Email - Send an email to the recipients about violated projects.
Rules - Click Select Scanner > SAST
Click + Add Rule
Add a SAST Rule pane is opened on the right screen side.
Rule Name - Name the rule.
Rule Definition - Entity Type > Select Entity > Vulnerability
Click + Add Condition
Configure the following:
Rule Subject:
Severity - High/Medium/Low/Info
or
Result Status - New/Recurrent
Operator: > / >= / < / <= / =
Value: Numeric value
Note
It is possible to configure more then 1 role.
There is an AND relation between entities & conditions.
Click Save
Add a SAST Rule pane is closed & the rule is added.
Projects - Click + Assign to Projects
Select Projects to Assign pane is opened.
Assign project to the policy.
Note
It is possible to search for projects using the search field.
Click Assign Projects
Click Save Policy
Creating an IaC Security Policy
Break the build - Breaks the build of the scanned repository that violated the configured rules.
Send a notification via Email - Send an email to the recipients about violated projects.
Rules - Click Select Scanner > IaC Security
Click + Add Rule
Add a IaC Security Rule pane is opened on the right screen side.
Rule Name - Name the rule.
Rule Definition - Entity Type > Select Entity > Vulnerability
Click + Add Condition
Configure the following:
Rule Subject:
Severity - High/Medium/Low
or
Result Status - New/Recurrent
Operator: > / >= / < / <= / =
Value: Numeric value
Note
It is possible to configure more then 1 role.
There is an AND relation between entities & conditions.
Click Save
Add an IaC Security Rule pane is closed & the rule is added.
Projects - Click + Assign to Projects
Select Projects to Assign pane is opened.
Assign project to the policy.
Note
It is possible to search for projects using the search field.
Click Assign Projects
Click Save Policy
Policies & Incidents
After a policy is created and saved 2 tables are presented.
Policies - Contains all the configured policies.
When hovering on a policy, an ellipsis
appears on the right side.
It is possible to perform the following actions for every policy:
Edit the policy
Delete the policy
Pin the policy - Pin the policy to the top of the table.
Incidents - Contains all the violated policies incidents.