Configure CI/CD Scan Policies
Before you can run a Container Security scan, you must create a CI/CD scan policy JSON file. Save this file on the same host as your Container Security scanner that you create in Add a Scanner.
CI/CD scan policy conditions apply to the entire image, not individual plugins.
Structure of a CI/CD Scan Policy JSON File
| Field | Description |
|---|---|
|
policy_groups |
A policy json file is a list of policy_groups. Each policy_group is a list of policy entries with boolean operators (group_operator) to join them. |
|
group_operator |
The group_operator field accepts only AND and OR. The group_operator applies to the list of entries. |
|
entries |
Each entries item contains a label, operator, field, and policy_value. |
|
label |
An arbitrary string that describes the policy entry. For example, "Cvssv3 cannot be greater than 7" |
|
operator |
The operation that you want to trigger policy violations on. Some fields only support the EQ operator. The following are the supported operators:
|
|
field |
Any of the fields you want to support policy evaluation on. The following are the supported fields:
|
|
policy_value |
The value you want to match on to trigger a policy violation. |
Example CI/CD Scan Policy JSON Files
Simple Policy
The following policy triggers a violation when the CVSS v3 score is greater than or equal to 7.
{
"policy_groups": [
{
"entries": [
{
"label": "Cvssv3 cannot be greater or equal to 7",
"operator": "GTE",
"field": "CVSS3",
"policy_value": "7"
}
],
"group_operator": "OR"
}
]
}Policy with AND or OR operators
The following policy triggers a violation when:
-
The CVSS v3 score is greater than or equal to 7.
-or-
-
The VPR score is greater than or equal to 7.
{
"policy_groups": [
{
"entries": [
{
"label": "Cvssv3 cannot be greater or equal to 7",
"operator": "GTE",
"field": "CVSS3",
"policy_value": "7"
},
{
"label": "Vpr cannot be greater or equal to 7",
"operator": "GTE",
"field": "VPR",
"policy_value": "7"
}
],
"group_operator": "OR"
}
]
}The following policy triggers a violation when:
-
The CVSS v3 score is greater than or equal to 7.
-and-
-
The VPR score is greater than or equal to 7.
{
"policy_groups": [
{
"entries": [
{
"label": "Cvssv3 cannot be greater or equal to 7",
"operator": "GTE",
"field": "CVSS3",
"policy_value": "7"
},
{
"label": "Vpr cannot be greater or equal to 7",
"operator": "GTE",
"field": "VPR",
"policy_value": "7"
}
],
"group_operator": "AND"
},
{
"entries": [
{
"label": "CVE-123 exists",
"operator": "EQ",
"field": "CVE",
"policy_value": "123"
}
],
"group_operator": "OR"
}
]
}Complex Nested Policy
The following policy triggers a violation when:
-
The CVSS v3 score is greater than or equal to 7, and the VPR score is greater than or equal to 7.
OR
-
The CVE is cve-123, or the package is curl-1.1.
{
"policy_groups": [
{
"entries": [
{
"label": "Cvssv3 cannot be greater or equal to 7",
"operator": "GTE",
"field": "CVSS3",
"policy_value": "7"
},
{
"label": "Vpr cannot be greater or equal to 7",
"operator": "GTE",
"field": "VPR",
"policy_value": "7"
}
],
"group_operator": "AND"
},
{
"entries": [
{
"label": "CVE-123 exists",
"operator": "EQ",
"field": "CVE",
"policy_value": "123"
},
{
"label": "curl-1.1 exists",
"operator": "EQ",
"field": "PACKAGE",
"policy_value": "curl-1.1"
}
],
"group_operator": "OR"
}
]
}