Incidents
Incidents are records of policy violations that occur when a rule of an active policy is triggered after a scan finishes. These incidents are stored in the database and can be viewed in the Incidents tab on the Policy Management Portal.
Incidents Tab
In the Incidents tab of the Policy Management Portal, you'll find a history of all past detected violations. Each Incident displays:
The violated policy's name
The first violated rule in the policy.
The ID of the analyzed scan
The project name
The scan date
This incident history cannot be modified or deleted from the portal. Additionally, deleting or editing the rules or policies that caused the incidents will not affect the incident records.
The Incidents tab provides pagination and filtering options, like filtering by project or policy name, allowing you to navigate through incidents easily or quickly identify specific ones.
Violation Detection
Violation detection occurs on the backend within the Policy Management Service, which is the service also responsible for hosting the REST API and managing the database. This violation detection process begins immediately upon receiving a scan completion notification via an ActiveMQ (or RabbitMQ) message from SAST.
Before initiating the analysis, specific checks and validations take place:
Is the project of the scan private?
If yes, no violation detection is performed for the project.
What policies is the scan's project linked with?
If there are none, the project is linked to the default policy.
For instance, when detecting violations for the first default policy with CxSAST Policy Management (see here), which identifies scans with at least one High result, the corresponding query is formulated to search for results with severity level 3 (High).
When a violation is detected, a new incident is created in the database, which can be viewed in the portal.