How to Create a New Policy

---

Creating a policy involves establishing rules and assigning corresponding actions for triggered events. Here's a step-by-step guide:

1. Navigate to the Policy page and click on the New Policy button at the top-right corner.

   

2. Provide a Name and Description for your policy, e.g., Disallowed Licenses, Severity Indicator, etc.

   

3. Select an action for the rule if you're not using the default action (Do not notify developers), which includes:

   • Fail the check - This action would fail the check.
   • Add a comment to the PR - This action would add a comment to the PR.
   • Send a notification - This action would notify your configured integrations (Slack, Teams, or Webhook). You must select either integrations and add the channel name or webhook.
   • Create a ticket - This action would create a ticket. You need to add a project name here.
   • Drop - This action would drop all the findings generated by the policy.

   Warning

   If you have drop all anywhere in your policy, compliance is always 0 for affected assets.

   • Suppress - This action would suppress the findings.

   You can select more than one action as your default action for the policy.

   

4. Click the Add Rule button.

   

5. Click the Add Action button to define an action path for the rule. There are several action paths your rule can take, which include:

   • OpenSSF Score - This action checks for OpenSSF. OpenSSF Score is a collection of security health metrics for open source, allowing users to evaluate the security practices of an open source package in your codebase.
   • EPSS Score - This can be used to target EPSS in your code. EPSS (Exploit Prediction Scoring System) measures how likely a particular vulnerability will be exploited.
   • CVSS Score - CVSS generates a score from 0 to 10 based on the severity of a vulnerability.
   • Vulnerability ID - This action checks for the vulnerability via its id in your code.
   • Confidence - This action would check for scenarios where the confidence level of a vulnerability is high, medium, or low.
   • Severity - This action would check for severity of findings in Critical, Warning, or Minor states.

   

6. Select any of the action paths, but for this guide, let's select Severity as an action path.

   

7. Select the >= symbol to set the condition for the action path (i.e., "Severity" >= "Warning"). This indicates that when the "Severity" is greater than or equal to "Warning", the action is to "Add a comment to the pull request".

   

   

   

   Save your progress.

   Info

   You can add multiple "Actions" for a given "Condition" by clicking the +Action button.

8. Finally, click on the Scanners tab next to select scanners for your custom policy.

   

9. Select the following scanners from the Available Scanners list. They will then be listed under the Active Scanners tab.

   

   

10. Click the Save button to save the updates to your custom policy.