Skip to main content

Policy Management

Overview

Policy Management is a mechanism to identify security risks across projects and scans.

Organizations often handle hundreds or even thousands of projects that undergo daily scans, with each project generating distinct scan results. To pinpoint projects with specific types of results, security engineers must manually review and prioritize findings.

By using policies, organizations can easily detect projects that violate their established security rules. For example, an organization may want to understand whether specific projects contain any high-severity findings from static code analysis or feature particular types of open-source packages, such as the recent log4j concerns.

Policy Management does not stop at identification alone; it enables organizations to develop automated responses for project violations, for example, to block a software build if it is violating a policy.

Once a scan is completed, the policies associated with the respective projects are assessed. These policies are then matched against the findings from the scan results.

Checkmarx One generates and maintains an incident report containing details of projects that violated policies during the scan. In upcoming versions, it will be possible to automate email notifications regarding these violations.

Policy Configuration

This section explains creating a policy to flag specific situations requiring attention.

You will define rules for each policy that outline a custom compliance threshold. Each rule, in turn, will include one or more condition sets that describe specific vulnerabilities associated with the policy. Options for configuring conditions differ according to the scanner for which the rule is being created.

Currently, policies can be created for the following scanners:

Creating_Policies_2.gif

How to create a new policy

Creating a Policy

To create a policy, perform the following:

  1. In the main menu, select Scan Management Scan_Management.png > Policies.

  2. Click on Create New Policy.

  3. In the Policy Details section, provide the following information:

    • Policy Name - Enter a name for the policy.

    • Description (optional) - Add a description.

    • Associated Tags (optional) - Click to expand the display, and then enter the desired tags for the policy.

  4. Click Save & Continue

    Policy_Details.png

    The Action upon Violations section is shown on the screen.

  5. You can select the Break the build checkbox if you would like to break software builds for a scanned repository that violates the configured rules.

    Note

    This functionality might not yet be available in your production environment.

  6. Add one or more Rules, as follows:

    Each rule specifies conditions related to a specific scanner that will constitute a policy violation. The possible types of conditions are described below.

    1. Click on Select Scanner to open the dropdown menu, and select the scanner for which you would like to add a rule.

      Image_455.png
    2. Click on + Add Rule,

      The rule configuration panel opens on the right side of the screen.

      Image_457.png
    3. In the Rule Name field, enter a name for the rule.

    4. Click + Add Condition and configure the condition. Options for condition configuration differ according to the scanner for which the rule is being created. The configuration options for each scanner are described below.

  7. Assign the policy to one or more Projects as follows:

    1. Click + Assign to Projects.

      The Select Projects to Assign panel opens on the right side of the screen.

    2. Select the checkbox next to each project you would like to assign.

      Image_462.png

      Note

      It is possible to search for projects using the Search field. You can also select the Select All in View option to select all currently loaded projects.

    3. Click Assign Projects.

  8. Click Save Policy.

    The policy is created and activated.

Configuring Policy Conditions

Each policy rule consists of one or more conditions. If all policy conditions are violated for any rule, then the policy is considered violated. Each policy rule relates to results from a particular scanner. The possible types of conditions that can be configured differ for each scanner. The following sections explain the options for configuring conditions for each scanner.

SAST Policy Conditions
In the Add a SAST Rule pane, perform the following:
  1. In the Rule Definition section, click Select Entity, and select the desired entity from the dropdown list. Currently, the only supported type is Vulnerability.

    Add_SAST_Rule.png
  2. Click + Add Condition

  3. Configure the following:

    • Rule Subject:

      • Severity - High/Medium/Low/Info

        or

      • Result Status - New/Recurrent

    • Operator: > / >= / < / <= / =

    • Value: Numeric value

      Add_SAST_Rule2.png

    Notice

    For example, if for Entity Type Vulnerability, you set the Rule Subject as High, Operator as ">", and Value as 2. Then a project with 3 or more High severity SAST vulnerabilities will be in violation of this rule.

    Note

    • It is possible to configure more than one rule.

    • Entities and conditions are linked by an AND relationship. This means that all specified conditions must be met simultaneously for the associated entities to be considered.

SCA Policy Conditions

The following sections describe the various types of SCA policy conditions that can be configured.

Package Conditions

Type

Description

Values specified

Is Used

The rule applies only to packages that are being used in the project.

Tip

This is only supported for Projects for which the Exploitable Path feature is supported.

none

Is Outdated

The rule applies only to packages for which a more recent version is available.

none

Named

The rule applies only to the packages with the specified name.

Specify the full name of the package.

Name Contains

The rule applies only to packages that have the specified string in their name.

Specify a string that is contained in the package name.

Version is Higher than

The rule applies only to packages with a version higher than the specified version.

Specify the version number that it must be higher than.

Version is Lower than

The rule applies only to packages with a version lower than the specified version.

Specify the version number that it must be lower than.

Is not a Dev dependency

The rule only applies to packages that aren’t Dev dependencies.

none

Is not a Test dependency

The rule only applies to packages that aren’t Test dependencies.

none

Is a Direct dependency

The rule only applies to Direct dependencies (not to Transitive dependencies).

none

Is Malicious

The rule only applies to packages that are identified as Malicious Supply Chain vulnerabilities.

none

Vulnerability Conditions

Type

Description

Values specified

has Exploitable Path

There is an Exploitable Path by which the vulnerable methods are actually used by your code. See Exploitable Path

Tip

This is only supported for Projects in which the Exploitable Path feature is activated.

none

has a Remediation Recommendation

Checkmarx offers a remediation recommendation for eliminating the vulnerability from your Project. See Remediation Tasks Tab

Tip

This is only supported for Projects in which the Exploitable Path feature is activated.

none

CVSS score is greater than or equal to

The CVSS score of the vulnerability is greater than or equal to the specified value.

Tip

The latest available CVSS version is used for this assessment.

Specify the minimum CVSS score for this condition.

Severity level is

The vulnerability has the specified severity level.

Select one or more severity levels (High, Medium, Low) for the vulnerabilities in this condition.

is a New Finding

The vulnerability instance was identified for the first time in a particular Project.

none

CWE Category

The vulnerability has the specified CWE.

Specify the number of the CWE.

CVE ID is

The vulnerability has the specified CVE ID.

Specify a CVE ID, e.g., CVE-2019-2391.

number of Days Since Publication is greater than

The number of days since the vulnerability was published is greater than the specified value.

Specify the number of days that the value must be greater than.

Supply Chain Risk Conditions

Type

Description

Values specified

Severity level is

The vulnerability has the specified severity level.

Select one or more severity levels (High, Medium, Low) for the vulnerabilities in this condition.

License Conditions

Type

Description

Values specified

Named

Specify one or more specific licenses for this condition.

Select one or more licenses from the dropdown list of licenses in your account.

Legal Risk level is

The Legal Risk has the specified severity level.

Select one or more severity levels (High, Medium, Low) for this condition.

IaC Security Policy Conditions

In the Add an IaC Security Rule pane, perform the following:
  1. In the Rule Definition section, click on Select Entity, and and then select the desired entity from the dropdown list. Currently, the only supported type is Vulnerability.

    Add_IaC_Security_Rule.png
  2. Click + Add Condition

  3. Configure the following:

    • Rule Subject:

      • Severity - High/Medium/Low

        or

      • Result Status - New/Recurrent

    • Operator: > / >= / < / <= / =

    • Value: Numeric value

      Add_IaC_Security_Rule2.png

    Notice

    For example, if for Entity Type Vulnerability, you set the Rule Subject as High, Operator as ">", and Value as 2. Then a project with 3 or more High severity IaC Security vulnerabilities will be in violation of this rule.

    Note

    • It is possible to configure more than one rule.

    • Entities and conditions are linked by an AND relationship. This means that all specified conditions must be met simultaneously for the associated entities to be considered.

Viewing Policies and Incidents

After a policy is created and saved, two tables are presented.

  • Policies - Contains all the configured policies.

    When hovering on a policy, an ellipsis More_Options.png appears on the right side.

    It is possible to perform the following actions for each policy:

    • Edit the policy

    • Delete the policy

    • Pin the policy - Pin the policy to the top of the table.

      Policies_More_Options.png
  • Incidents - Shows all of the incidents in which policies were violated.