Creating custom compliance policies
If you have the required permissions, you can create and delete your own custom compliance policies.
And,
Or, Not). Each basic expression consists of a predefined function, and its
parameter (if required). You can either set the parameter value when creating the
compliance policy, or use $ to leave it undefined. When a parameter is
undefined the user will be required to provide the value when associating the compliance
policy with an application.Predefined functions
| Function | Parameters | Description |
|---|---|---|
StartDate |
Date (can include time) in one of the following formats:
|
Returns issues discovered after the specified date (and time). Examples:
|
MinSeverity |
Severity in format:
|
Returns issues equal to or of greater severity to the specified parameter. |
OwaspTop10_2017 |
N/A | Returns issues defined by OWASP as a top 10 security risk. |
SansTop25 |
N/A | Returns issues defined by SANS Institute as a top 25 critical error. |
EUGdpr_2016 |
N/A | Returns issues that render the application out of compliance with the GDPR. |
CWE |
List of CWE IDs | Returns issues that correspond to the specified CWE IDs. |
PCI |
N/A | Returns issues that render the application out of compliance with the PCI data security standard. |
HIPAA |
N/A | Returns issues that render the application out of compliance with HIPAA. |
Technology |
Valid technologies:
|
Returns issues that correspond to the specified technologies. |
Creating custom compliance policies through the user interface
- On the dashboard click Compliance policies, then click Add custom compliance policy.
- Give the compliance policy a name, and define it as a JSON
expression.Note: If the compliance policy will be associated to applications through the interface, you must define any parameters when you create the compliance policy; it is not possible to define parameters when associating the compliance policy. If the compliance policy will be associated with applications using the API, you can leave the parameters undefined and define them when associating.
Example 1: Custom baseline compliance policy
{ "Function":"StartDate", "Parameters":[ "2017-12-31T13:50Z" ] }Example 2: Custom CWE compliance policy
{ "Function":"CWE", "Parameters":[ 89, 90 ] }Example 3: Composite custom compliance policy
{ "Operation":"And", "Expressions":[ { "Function":"StartDate", "Parameters":[ "2018-04-24T10:30Z" ] }, { "Function":"MinSeverity", "Parameters":[ "Medium" ] } ] }Example 4: Custom compliance policy to exclude CWEs 89 and 90
{ "Operation": "Not", "Expressions": [ { "Function": "CWE", "Parameters": [ 89, 90 ] } ] }Example 5: Custom OWASP Top 10 compliance policy excluding CWEs 89 and 90
{ "Operation": "And", "Expressions": [ { "Operation": "Not", "Expressions": [ { "Function": "CWE", "Parameters": [ 89, 90 ] } ] }, { "Function": "OwaspTop10_2017" } ] }Example 6: Custom compliance policy to filter issues based on Technology
{ "Function": "Technology", "Parameters": [ "DAST", "SAST" ] } - When done, click Close
Creating custom compliance policies through the REST API
In the REST API, a compliance policy is defined using an expression tree. This can consist of a
single basic expression, or multiple expressions with a logical operation
(And, Or, Not). Each basic expression consists of a predefined
function and its parameter (if required). You can set either the parameter value
when creating the compliance policy, or use $ to leave it
undefined. When a parameter is undefined the user is required to provide the value
when associating the compliance policy with an application.
Example 1: Custom baseline compliance policy
{
"Name": "Baseline",
"Predefined": true,
"Expression": {
"Function": "StartDate",
"Parameters": [
"$DATE"
]
}
}Example 2: Custom CWE compliance policy
{
"Name": "CWE policy",
"Expression": {
"Function": "CWE",
"Parameters": [
89,
90
]
}
}Example 3: Composite custom compliance policy
In this example of a custom compliance policy, the functions StartDate and
MinSeverity are included, with operation And,
so that only issues found after the specified date, and with the specified minimum
severity, will be included.
{
"Name": "MyPolicy",
"Predefined": false,
"Expression": {
"Operation": "And",
"Expressions": [
{
"Function": "StartDate",
"Parameters": [
"2018-04-24T10:30Z"
]
},
{
"Function": "MinSeverity",
"Parameters": [
"$minseverity"
]
}
]
}
}
Example 3: Custom compliance policy to filter issues based on Technology. Only issues under DAST and SAST scans are listed.
{
"Name": "Tech Filter",
"Expression": {
"Function": "Technology",
"Parameters": [
"DAST",
"SAST"
]
}
}