How to Create a New Policy¶
Creating a policy involves establishing rules and assigning corresponding actions for triggered events. Here's a step-by-step guide:
-
Navigate to the Policy page and click on the New Policy button at the top-right corner.
-
Provide a Name and Description for your policy, e.g., Disallowed Licenses, Severity Indicator, e.t.c.
-
Select an action for the rule if you're not using the default action (Do not notify developers), which includes:
- Fail the check - This action would fail the check.
- Add a comment to the PR - This action would add a comment to the PR.
- Send a notification - This action would send a notification to your configured integrations (Slack, Teams, or Webhook). You need to select either of the integrations and add the name of the channel or webhook.
- Create a ticket - This action would create a ticket. You need to add a project name here.
- Drop - This action would drop all the findings generated by the policy
- Suppress - This action would suppress the findngs.
You can select more than one rule as your default action for the policy.
-
Click the Add Rule button.
-
Click the Add Action button to define an action path for the rule. There are several action paths your rule can take which includes:
- OpenSSF Score - This action checks for OpenSSF. OpenSSF Score is a collection of security health metrics for open source, allowing users to evaluate the security practices of an open source package in your codebase.
- EPSS Score - This can be used to target EPSS in your code. EPSS (Exploit Prediction Scoring System) measures how likely a particular vulnerability is to be exploited.
- CVSS Score - CVSS generates a score from 0 to 10 based on the severity of a vulnerability.
- Vulnerability ID - This action checks for the vulnerability via it's
id
in your code. - Confidence - This action would check for scenarios if the confidence level of a vulnerability is High, Medium, or Low.
- Severity - This action would check for severity of findings in a Critical, Warning or Minor states.
-
Select any of the action paths but for this guide, let's select
Severity
as a action path. -
Select the
>=
symbol to set the condition for the action path (i.e., "Severity" >= "Warning"). This indicates that when the "Severity" is greater than or equal to "Warning", the action is to "Add a comment to the pull request".
Save your progress.
Info
You can add multiple "Actions" for a given "Condition" by clicking the +Action button.