Creating custom compliance policies
If you have the required permissions, you can create and delete your own custom compliance policies.
And,
Or, Not). Each basic expression consists of a predefined function, and its
parameter (if required). You can either set the parameter value when creating the
compliance policy, or use $ to leave it undefined. When a parameter is
undefined the user will be required to provide the value when associating the compliance
policy with an application.Predefined functions
- Issues functions:
StartDate*MinSeverity*OwaspTop10_2017SansTop25EUGdpr_2016PCICWE*ThreatClass*HIPAAOwaspTop10Mobile_2016ISO27001ISO27002WascNistSoxFismaFippaEftaDISA_STIGPADSSOwaspTop10_2021OwaspTop10OpenApi_2019CCPAFedRampPopiaOwaspTop10Api_2023SansTop25_2023OwaspTop10CloudNativeAppNis2DoraOwaspAsvsTechnology*SansTop25_2024OwaspTop10Llm_2025Itsg33OwaspTop10_2025
- License functions
BlockedLicenseName*AllowedLicenseName*AllowedCopyLeft*AllowedRiskLevel*AllowedCopyrightRiskScore*AllowedPatentRiskScore*AllowedLinking*AllowedRoyaltyFree*
Functions requiring parameters:
| Function | Description | Parameters | Example 1 | Example 2 |
|---|---|---|---|---|
| Issue policy functions | ||||
StartDate |
Evaluate only issues updated after this date | Date (can include time) in one of the following formats:
|
["2025-01-01"] |
["2025-06-15T00:00Z"] |
MinSeverity |
Minimum severity threshold for violations |
|
["Medium"] |
["Hgh"] |
Technology |
Filter by scan technology type |
|
["DAST"] |
["SCA"] |
CWE |
Filter by specific CWE IDs | List of CWE IDs | ["79"] |
["89", "502"] |
ThreatClass |
Filter by threat class identifiers | List of threat classes | ["catSQLInjection"] |
["catServerMisconfiguration"] |
| SCA (open source license) policy functions | ||||
StartDate |
Only evaluate packages updated after this date | Date (can include time) in one of the following formats:
|
["2025-01-01"] |
["2025-06-15T00:00Z"] |
BlockedLicenseName |
Blocks packages with these specific licenses | ["GPL-3.0"] |
["AGPL-3.0"] |
|
AllowedLicenseName |
Only permits these licenses; all others are flagged | ["MIT"] |
["Apache-2.0"] |
|
AllowedCopyLeft |
Permits only these copyleft levels |
|
["No"] |
["Partial"] |
AllowedRiskLevel |
Permits only these license risk levels |
|
["Low"] |
["Medium"] |
AllowedCopyRiskScore |
Permits only these copyright risk scores |
|
["ONE"] |
["TWO"] |
AllowedPatentRiskScore |
Permits only these patent risk scores |
|
["ONE"] |
["TWO"] |
AllowedLinking |
Permits only these linking types |
|
["Non_Viral"] |
["Dynamic"] |
AllowedRoyaltyFree |
Permits only these royalty-free statuses |
|
["Yes"] |
["Conditional"] |
Creating custom compliance policies through the user interface
- From , click Add custom compliance policy.
- Give the compliance policy a name, and define it as a JSON
expression.Note: If the compliance policy will be associated to applications through the interface, you must define any parameters when you create the compliance policy; it is not possible to define parameters when associating the compliance policy. If the compliance policy will be associated with applications using the API, you can leave the parameters undefined and define them when associating.
Example 1: Custom baseline compliance policy
{ "Function":"StartDate", "Parameters":[ "2017-12-31T13:50Z" ] }Example 2: Custom CWE compliance policy
{ "Function":"CWE", "Parameters":[ 89, 90 ] }Example 3: Composite custom compliance policy
{ "Operation":"And", "Expressions":[ { "Function":"StartDate", "Parameters":[ "2018-04-24T10:30Z" ] }, { "Function":"MinSeverity", "Parameters":[ "Medium" ] } ] }Example 4: Custom compliance policy to exclude CWEs 89 and 90
{ "Operation": "Not", "Expressions": [ { "Function": "CWE", "Parameters": [ 89, 90 ] } ] }Example 5: Custom OWASP Top 10 compliance policy excluding CWEs 89 and 90
{ "Operation": "And", "Expressions": [ { "Operation": "Not", "Expressions": [ { "Function": "CWE", "Parameters": [ 89, 90 ] } ] }, { "Function": "OwaspTop10_2017" } ] }Example 6: Custom compliance policy to filter issues based on Technology
{ "Function": "Technology", "Parameters": [ "DAST", "SAST" ] } - When done, click Close
Creating custom compliance policies through the REST API
In the REST API, a compliance policy is defined using an expression tree. This can consist of a
single basic expression, or multiple expressions with a logical operation
(And, Or, Not). Each basic expression consists of a predefined
function and its parameter (if required). You can set either the parameter value
when creating the compliance policy, or use $ to leave it
undefined. When a parameter is undefined the user is required to provide the value
when associating the compliance policy with an application.
Example 1: Custom baseline compliance policy
{
"Name": "Baseline",
"Predefined": true,
"Expression": {
"Function": "StartDate",
"Parameters": [
"$DATE"
]
}
}Example 2: Custom CWE compliance policy
{
"Name": "CWE policy",
"Expression": {
"Function": "CWE",
"Parameters": [
89,
90
]
}
}Example 3: Composite custom compliance policy
In this example of a custom compliance policy, the functions StartDate and
MinSeverity are included, with operation And,
so that only issues found after the specified date, and with the specified minimum
severity, will be included.
{
"Name": "MyPolicy",
"Predefined": false,
"Expression": {
"Operation": "And",
"Expressions": [
{
"Function": "StartDate",
"Parameters": [
"2018-04-24T10:30Z"
]
},
{
"Function": "MinSeverity",
"Parameters": [
"$minseverity"
]
}
]
}
}
Example 4: Custom compliance policy to filter issues based on Technology. Only issues under DAST and SAST scans are listed.
{
"Name": "Tech Filter",
"Expression": {
"Function": "Technology",
"Parameters": [
"DAST",
"SAST"
]
}
}