Creating custom policies
If you have the required permissions, you can create and delete your own custom policies.
And, Or,
Not). Each basic expression consists of a predefined function, and its
parameter (if required). You can either set the parameter value when creating the
policy, or use $ to leave it undefined. When a parameter is undefined
the user will be required to provide the value when associating the policy with an
application.Predefined functions
| Function | Parameters | Description |
|---|---|---|
StartDate |
Date (can include time) in one of the following formats:
|
Returns issues discovered after the specified date (and time). Examples:
|
MinSeverity |
Severity in format:
|
Returns issues equal to or of greater severity to the specified parameter. |
OwaspTop10_2017 |
N/A | Returns issues defined by OWASP as a top 10 security risk. |
SansTop25 |
N/A | Returns issues defined by SANS Institute as a top 25 critical error. |
EUGdpr_2016 |
N/A | Returns issues that render the application out of compliance with the GDPR. |
CWE |
List of CWE IDs | Returns issues that correspond with the specified CWE IDs. |
PCI |
N/A | Returns issues that render the application out of compliance with the PCI data security standard. |
HIPAA |
N/A | Returns issues that render the application out of compliance with HIPAA. |
Creating custom policies through the user interface
- On the dashboard click Policies, then click Create Custom Policy.
- Give the policy a name, and define it as a JSON expression.Note: If the policy will be associated to applications through the interface, you must define any parameters when you create the policy; it is not possible to define parameters when associating the policy. If the policy will be associated with applications using the API, you can leave the parameters undefined and define them when associating.
Example 1: Custom baseline policy
{ "Function":"StartDate", "Parameters":[ "2017-12-31T13:50Z" ] }Example 2: Custom CWE policy
{ "Function":"CWE", "Parameters":[ 89, 90 ] }Example 3: Composite custom policy
{ "Operation":"And", "Expressions":[ { "Function":"StartDate", "Parameters":[ "2018-04-24T10:30Z" ] }, { "Function":"MinSeverity", "Parameters":[ "Medium" ] } ] }Example 4: Custom policy to exclude CWEs 89 and 90
{ "Operation": "Not", "Expressions": [ { "Function": "CWE", "Parameters": [ 89, 90 ] } ] }Example 5: Custom OWASP Top 10 policy excluding CWEs 89 and 90
{ "Operation": "And", "Expressions": [ { "Operation": "Not", "Expressions": [ { "Function": "CWE", "Parameters": [ 89, 90 ] } ] }, { "Function": "OwaspTop10_2017" } ] } - When done, click Close
Creating custom policies through the REST API
In the REST API, a policy is defined using an expression tree. This can consist of a single basic
expression, or multiple expressions with a logical operation (And, Or,
Not). Each basic expression consists of a predefined function and its
parameter (if required). You can set either the parameter value when creating the
policy, or use $ to leave it undefined. When a parameter is
undefined the user is required to provide the value when associating the policy with
an application.
Example 1: Custom baseline policy
{
"Name": "Baseline",
"Predefined": true,
"Expression": {
"Function": "StartDate",
"Parameters": [
"$DATE"
]
}
}Example 2: Custom CWE policy
{
"Name": "CWE policy",
"Expression": {
"Function": "CWE",
"Parameters": [
89,
90
]
}
}Example 3: Composite custom policy
In this example of a custom policy, the functions StartDate and
MinSeverity are included, with operation And,
so that only issues found after the specified date, and with the specified minimum
severity, will be included.
{
"Name": "MyPolicy",
"Predefined": false,
"Expression": {
"Operation": "And",
"Expressions": [
{
"Function": "StartDate",
"Parameters": [
"2018-04-24T10:30Z"
]
},
{
"Function": "MinSeverity",
"Parameters": [
"$minseverity"
]
}
]
}
}