Governance Policies

SOOS allows you to create policies or rules around the packages, licenses and CWEs identified through SOOS scans. Once a policy is created, a policy violation warning will be generated any time a scan detects a something which violates the policy.

License Name policies provide the ability to allow or disallow one or more licenses by SPDX identifier.

License Attribute policies provide the ability to disallow licenses by specifying attributes of your software, such as Commercial with Patents.

Missing/Unknown license policies provide the ability to identify packages which do not have a license or where the license is not a known SPDX license.

Package policies provide the ability to disallow specific packages using the package identifier and optional version syntax.

Package Install policies provide the ability to set a minimum threshold for number of package downloads, to ensure that only well known/used packages are referenced.

CWE policies allow specific CWEs to be disallowed across SCA, SBOM, Container, SAST and DAST scans.

SOOS Governance Policies can be applied globally (to all projects) or to project/group of projects. The Projects option can be used to filter to view all policies, global policies or a specific projects policies. Select the Policy type tabs to view specific policies that have been created or to create new policies.

All policies contain the following common properties:

The Policy Definition varies based on the type of policy, in this case providing a package id and optional version will ensure that a violation is created for any matching packages.