Governance Policies

8min
soos allows you to create policies or rules around the packages, licenses and cwes identified through soos scans once a policy is created, a policy violation warning will be generated any time a scan detects a something which violates the policy policy types license name license name policies provide the ability to allow or disallow one or more licenses by spdx identifier license attribute license attribute policies provide the ability to disallow licenses by specifying attributes of your software, such as commercial with patents missing license missing/unknown license policies provide the ability to identify packages which do not have a license or where the license is not a known spdx license package package policies provide the ability to disallow specific packages using the package identifier and optional version syntax package installs package install policies provide the ability to set a minimum threshold for number of package downloads, to ensure that only well known/used packages are referenced cwes / owasp top 10 / mitre top 25 cwe policies allow specific cwes to be disallowed across sca, sbom, container, sast and dast scans viewing policies soos governance policies can be applied globally (to all projects) or to project/group of projects the projects option can be used to filter to view all policies, global policies or a specific projects policies select the policy type tabs to view specific policies that have been created or to create new policies governance policies creating policies all policies contain the following common properties policy name the name appears in the violation issues docid\ zigjfz51oxmmrjr5ccdbi detail, so it's important to use meaningful names policy scope defines if the policy applies to all projects or only specific projects policy severity the severity to use when for violation issues docid\ zigjfz51oxmmrjr5ccdbi created by this policy policy behavior optional value to indicate if this policy should be triggered when the required data is missing policy definition the policy definition varies based on the type of policy, in this case providing a package id and optional version will ensure that a violation is created for any matching packages license name policies only select either 'allow' or 'disallow' to create either an allow list or disallow list of license names allow any license detected that is not in this list will generate a violation disallow any license detected that is is in a disallow list will generate a violation governance policy creation