Lab I - Advanced Policy as Code
Lab 8 - Governance/Policy as Code (Advanced)
Create a Policy to block critical CVEs
-
From the secondary menu, expand Project Setup and select Policies
-
Select the Policies tab
-
click + New Policy, set the name to Runtime OWASP CVEs and click Apply
-
Set the rego to the following and click Save
package pipeline_environment deny[sprintf("Node OSS Can't contain any critical vulnerability '%d'", [input.NODE_OSS_CRITICAL_COUNT])] { input.NODE_OSS_CRITICAL_COUNT != 0 }-
Select the Policy Sets tab
-
Click + New Policy Set and configure as follows
| Input | Value | Notes |
|---|---|---|
| Name | Criticals Not Allowed | |
| Entity Type | Custom | |
| Event Evaluation | On Step | |
| Policy Evaluation Criteria | ||
| Policy to Evaluate | Runtime OWASP CVEs |
- For the new policy set, toggle the Enforced button
Add Policy to Pipeline
-
Open your pipeline
-
Go to an execution that already ran, and copy the CRITICAL output variable from the OWASP step like so
-
Select the frontend stage
-
Before the Canary Deployment Step Group, add a Policy type step and configure as follow
| Input | Value | Notes |
|---|---|---|
| Name | Policy - No Critical CVEs | |
| Entity Type | Custom | |
| Policy Set | Criticals Now Allowed | Make sure to select the Project tab in order to see your Policy Set |
| Payload | {"NODE*OSS_CRITICAL_COUNT": *\<variable>\_} | Set the field type to Expression, then replace <variable> with OWASP output variable CRITICAL. Go to a previous execution to copy the variable path. |
- Save the pipeline and execute. Note that the pipeline fails at the policy evaluation step due to critical vulnerabilities being found by OWASP.