- Checkmarx Documentation
- Checkmarx One
- Checkmarx One User Guide
- Policy Management
Policy Management
Overview
Policy Management is a mechanism to identify security risks across projects and scans.
Organizations often handle hundreds or even thousands of projects that undergo daily scans, with each project generating distinct scan results. To pinpoint projects with specific types of results, security engineers must manually review and prioritize findings.
By using policies, organizations can easily detect projects that violate their established security rules. For example, an organization may want to understand whether specific projects contain any high-severity findings from static code analysis or feature particular types of open-source packages, such as the recent log4j concerns.
Policy Management does not stop at identification alone; it enables organizations to develop automated responses for project violations, for example, to block a software build if it is violating a policy.
Once a scan is completed, the policies associated with the respective projects are assessed. These policies are then matched against the findings from the scan results.
Checkmarx One generates and maintains an incident report containing details of projects that violated policies during the scan. In upcoming versions, it will be possible to automate email notifications regarding these violations.
Creating a Policy
This section explains how to create a policy to flag specific situations requiring attention.
For each policy, you will define a set of rules that outline a custom compliance threshold. Each rule, in its turn, will include one or more condition sets that describe specific vulnerabilities associated with the policy.
Currently, policies can be created for the following scanners:
SAST scanner - Creating a SAST Policy
IaC Security scanner - Creating an IaC Security Policy

GIF - How to create a new Policy
Policy Details
To create a policy, perform the following:
Click on the Policy Management icon
.
Click on Create New Policy.
In the Policy Details screen, provide the following information:
Policy Name - Name the policy.
Description (optional) - Add a description.
Set policy as default for new and existing projects (optional) - If checked, the policy will be set as default for both new and existing projects.
Associated Tags (optional) - Assign project tags to the policy.
Click Save & Continue
Action upon Violations section is added to the screen.
Creating a SAST Policy
Break the build - Breaks the software build for a scanned repository that violates the configured rules.
Send a notification via Email - Send an email to the recipients about violated projects.
Rules - Click Select Scanner > SAST
Click + Add Rule
The Add a SAST Rule pane appears on the right side of the screen.
Rule Name - Name the rule.
Rule Definition - Entity Type > Select Entity > Vulnerability
Click + Add Condition
Configure the following:
Rule Subject:
Severity - High/Medium/Low/Info
or
Result Status - New/Recurrent
Operator: > / >= / < / <= / =
Value: Numeric value
Note
It is possible to configure more than one rule.
Entities and conditions are linked by an AND relationship. This means that all specified conditions must be met simultaneously for the associated entities to be considered.
Click Save
The Add a SAST Rule pane is closed and the rule is added.
Projects - Click + Assign to Projects
The Select Projects to Assign pane is opened.
Assign a project to the policy.
Note
It is possible to search for projects using the Search field.
Click Assign Projects
Click Save Policy
Creating an IaC Security Policy
Break the build - Breaks the software build for a scanned repository that violates the configured rules.
Send a notification via Email - Send an email to the recipients about violated projects.
Rules - Click Select Scanner > IaC Security
Click + Add Rule
Add a IaC Security Rule pane is opened on the right screen side.
Rule Name - Name the rule.
Rule Definition - Entity Type > Select Entity > Vulnerability
Click + Add Condition
Configure the following:
Rule Subject:
Severity - High/Medium/Low
or
Result Status - New/Recurrent
Operator: > / >= / < / <= / =
Value: Numeric value
Note
It is possible to configure more than one rule.
Entities and conditions are linked by an AND relationship. This means that all specified conditions must be met simultaneously for the associated entities to be considered.
Click Save
The Add an IaC Security Rule pane is closed and the rule is added.
Projects - Click + Assign to Projects
The Select Projects to Assign pane is opened.
Assign a project to the policy.
Note
It is possible to search for projects using the Search field.
Click Assign Projects
Click Save Policy
Policies and Incidents
After a policy is created and saved, two tables are presented.
Policies - Contains all the configured policies.
When hovering on a policy, an ellipsis
appears on the right side.
It is possible to perform the following actions for every policy:
Edit the policy
Delete the policy
Pin the policy - Pin the policy to the top of the table.
Incidents - Contains all the incidents where policies were violated.