Create a Policy

Note: The Policy Builder replaces the old method of creating CI/CD scan policies in Container Security.

Container Security policy defines events that are noteworthy in the network. When an event occurs that meets the conditions outlined in a policy, Container Security logs the event and sends alerts or blocks deployments in accordance with the policy definition.

To create a policy in Container Security:

  1. In the left navigation, click Policies.

    The Policies page appears, which displays a list of your policies.

  2. At the top of the table, click Add Policy.

    The Policy Builder page appears.

  3. In the Details section, configure the policy category, name, and description.

    1. In the Category drop-down, select the policy category:

      • CI/CD - detect security and quality issues in the build pipeline.

      • Kubernetes - detect misconfigurations and vulnerabilities in Kubernetes clusters.

    2. In the Name box, type a name for the policy.

    3. (Optional) In the Description box, type a description for the policy.

    4. Click Next.

  4. In the Definition section, select how Container Security will enforce the policy, and create a query to define the policy conditions.

    1. In the Action section, select the action that occurs when an event meets the policy conditions:

      • Block Deployment - if an image meets the policy conditions, Container Security blocks the deployment.

        -or-

      • Alert - if an image meets the policy conditions, Container Security sends a notification about the image.

      Note: Policy failures will list the events that met the policy conditions. Policy successes will list the events that did not meet the policy conditions, and were therefore successful.

    2. In the Rule 1 box, type a query or build a query using the drop-down to select filters, operators, and values.

    3. (Optional) To add another query to the policy, click Add Rule.

      The And/Or buttons and Rule 2 box appear.

      • Click And or Or to define how the policy uses the rules

      • In the Rule 2 box, define a second rule.

      • Click Add Rule to add as many rules as desired.

      • To delete a rule, click the button to the right of the rule. Each policy must have at least one rule.

    4. Click Next.

  5. In the Scope section, select the pipeline or cluster for the policy.

    1. Enable the Activate upon completion setting to XYZ.

    2. Depending on the Category you chose in the Details section, define the pipeline or cluster for the policy scope:

      • CI/CD category

        • In the Pipeline Type drop-down, select the type of pipeline to which the policy applies (for example, Jenkins or Azure DevOps).

        • In the Pipeline Name drop-down select the pipeline for the policy.

        • (Optional) to add more pipelines, click Add Pipeline.

        • (Optional) To delete a pipeline from the policy, click the button to the right of the Pipeline Type box. Each CI/CD policy must specify at least one pipeline.

      • Kubernetes category

        • In the Cluster drop-down, select one or more clusters for the policy.

        • (Optional) To delete a cluster from the policy, click the X button to the right of the cluster name.

        • (Optional) To delete all clusters from the policy, click the X button on the right side of the Cluster drop-down.

  6. Click Save.

    The Policies page appears, and the new policy appears in the table. By default, the policy is Inactive.