Documentation
HomeGithubDocumentationChangelog
  • 🍀OWASP Four Clover Documentation
  • Overview
    • Getting Started
    • Our Features
  • Tool Guides
    • Performing Scans on Directories and Files
    • Initiating a Comparison
    • Performing Scans Based on Policies
  • Use Cases
    • Security Analyst
    • IT Administrator
    • Compliance Officer
    • Software Developer
    • Incident Responder
    • DevSecOps Engineer
    • Compliance Manager
    • Cloud Security Engineer
Powered by GitBook
On this page

Was this helpful?

  1. Tool Guides

Performing Scans Based on Policies

Use the policy command to initiate scans based on defined policies:

fourclover policy -targetdir mytargetdir -policydir /path/to/policyfiles -out policy_scan_report.json

The -targetdir option specifies the directory to be scanned.

The -policydir option specifies the directory containing policy files.

The -out option specifies the output file for the policy scan report.

Example Policy File (badword-policy.yaml):

rules:
  - rule_id: "word-hunter"
    meta:
          type: "simple"
          name: Word Detective
          author: VC
          severity: high
          description: The code includes prohibited terminology.
          reference:
            - https://owasp.org/www-project-code-review-guide/
          classification:
              cvss-score: 6.8
              cvss-metrics: AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
          tags: ["security-review", "terminology", "code-review"]

    simple:
        patterns:
          a: "access_token"
          b: "api_key"
          c: "password"
        condition: (a and c) or b

Performing Scans Based on Defined Policies:

fourclover policy -targetdir mytargetdir -policydir /path/to/policyfiles -out policy_scan_report.json

Policy-based scanning enables you to automate compliance checks and security assessments. By applying predefined rules, you can quickly identify files that violate policy conditions, ensuring adherence to security best practices.

Example Policy Scan Output File (policy_scan_report.json):

{
    "title": "Policy Report",
    "date": "2023-08-13T16:51:01+05:30",
    "working_dir": "mytargetdir",
    "summary": "Findings reported in the policy report are based on the policy rules defined in the policy file.",
    "findings": [
        {
            "rule_id": "word-hunter",
            "name": "Word Detective",
            "type": "simple",
            "description": "The code includes prohibited terminology.",
            "file_hash": "45f089de61c419b25277ed52f6d755f6688bc127627604a5aeb36ab79c22cbba",
            "file_path": "ibm/package.json",
            "references": [
                "https://owasp.org/www-project-code-review-guide/"
            ],
            "classification": [
                {
                    "cvss_score": 6.8,
                    "cvss_vector": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"
                }
            ],
            "tags": [
                "security-review",
                "terminology",
                "code-review"
            ]
        }
    ]
}

The output of a policy-based scan will provide detailed information about files that meet or violate the defined policy rules. This approach enhances your organization's security posture and minimizes manual compliance efforts.

PreviousInitiating a ComparisonNextSecurity Analyst

Last updated 1 year ago

Was this helpful?