Skip to main content

Policy Management

Overview

Policy Management is a mechanism to determine the security risks throughout projects and scans.

Organizations can have hundreds/thousands of projects that are being scanned on daily basis, and each project contains different scan results. To understand which projects contain specific result types, a security engineer needs to go over the findings manually and prioritize them.

By using policies, organizations can easily identify which projects were violated according to the security policies that they created.

For example: an organization wants to understand if specific projects contain any high severity findings for static code analysis, or a specific type of open-source package (log4j for instance). The same applies to IaC (Infrastructure as Code) Security, API Security, etc.

The purpose of the feature is to assist organizations build automation on top of the violated projects findings. For example, to block a build* due to policy violations.

The policies are evaluated on projects that they are attached to when the scan has finished. The policies are then evaluated with the scan results findings.

Checkmarx One creates and maintains an incident report with all the violated projects that happened during the scan or sends an email notification* about them.

Policy management workflow:

  • Checkmarx One waits for a scan that is finished.

  • Checks if there is a policy attached to the project of the scan.

  • Evaluate the rules of the policy.

  • Create an incident report with all the violated projects or send an email notification about them.

    Note

    This feature is not available in the current version.

  • Blocks a build if enabled - This feature is not available in the current version

    Note

    This feature is not available in the current version.

Creating a Policy

Create a Policy to flag specific situations that you want to call attention to. For Policy, specify a series of rules that define a custom compliance threshold.

Each rule includes one or more “sets” of conditions. For each set of conditions you can specify which vulnerabilities the policy relates to.

It is possible to create a policy for the following scanners:

Policy Details

To create a policy, perform the following:

  1. Click on Policy Management icon Policy_Settings.png

  2. Click on Create New Policy

  3. In the Policy Details screen, perform the following:

    • Policy Name - Name the policy.

    • Description (optional) - Add a description.

    • Set policy as default for new and existing projects (optional) - Automatically attaches all existing and new projects to the policy.

    • Associated Tags (optional) - Assign project tags to the policy.

    • Click Save & Continue

      Policy_Details.png

    Action upon Violations section is added to the screen.

Creating a SAST Policy

In the Action upon Violations section perform the following:
  1. Break the build - Breaks the build of the scanned repository that violated the configured rules.

  2. Send a notification via Email - Send an email to the recipients about violated projects.

  3. Rules - Click Select Scanner > SAST

    Select_SAST_Scanner.png
  4. Click + Add Rule

    Add a SAST Rule pane is opened on the right screen side.

In the Add a SAST Rule pane, perform the following:
  1. Rule Name - Name the rule.

  2. Rule Definition - Entity Type > Select Entity > Vulnerability

    Add_SAST_Rule.png
  3. Click + Add Condition

  4. Configure the following:

    • Rule Subject:

      • Severity - High/Medium/Low/Info

        or

      • Result Status - New/Recurrent

    • Operator: > / >= / < / <= / =

    • Value: Numeric value

      Add_SAST_Rule2.png

    Note

    • It is possible to configure more then 1 role.

    • There is an AND relation between entities & conditions.

  5. Click Save

    Add a SAST Rule pane is closed & the rule is added.

  6. Projects - Click + Assign to Projects

    Select Projects to Assign pane is opened.

  7. Assign project to the policy.

    Note

    It is possible to search for projects using the search field.

    Select_Projects_to_Assign.png
  8. Click Assign Projects

  9. Click Save Policy

Creating an IaC Security Policy

In the Action upon Violations section perform the following:
  1. Break the build - Breaks the build of the scanned repository that violated the configured rules.

  2. Send a notification via Email - Send an email to the recipients about violated projects.

  3. Rules - Click Select Scanner > IaC Security

    Select_IaC_Security_Scanner.png
  4. Click + Add Rule

    Add a IaC Security Rule pane is opened on the right screen side.

In the Add an IaC Security Rule pane, perform the following:
  1. Rule Name - Name the rule.

  2. Rule Definition - Entity Type > Select Entity > Vulnerability

    Add_IaC_Security_Rule.png
  3. Click + Add Condition

  4. Configure the following:

    • Rule Subject:

      • Severity - High/Medium/Low

        or

      • Result Status - New/Recurrent

    • Operator: > / >= / < / <= / =

    • Value: Numeric value

      Add_IaC_Security_Rule2.png

    Note

    • It is possible to configure more then 1 role.

    • There is an AND relation between entities &amp; conditions.

  5. Click Save

    Add an IaC Security Rule pane is closed & the rule is added.

  6. Projects - Click + Assign to Projects

    Select Projects to Assign pane is opened.

  7. Assign project to the policy.

    Note

    It is possible to search for projects using the search field.

    Select_Projects_to_Assign.png
  8. Click Assign Projects

  9. Click Save Policy

Policies & Incidents

After a policy is created and saved 2 tables are presented.

  • Policies - Contains all the configured policies.

    When hovering on a policy, an ellipsis More_Options.png appears on the right side.

    It is possible to perform the following actions for every policy:

    • Edit the policy

    • Delete the policy

    • Pin the policy - Pin the policy to the top of the table.

      Policies_More_Options.png
  • Incidents - Contains all the violated policies incidents.