Performing Scans Based on Policies

Use the policy command to initiate scans based on defined policies:

fourclover policy -targetdir mytargetdir -policydir /path/to/policyfiles -out policy_scan_report.json

The -targetdir option specifies the directory to be scanned.

The -policydir option specifies the directory containing policy files.

The -out option specifies the output file for the policy scan report.

Example Policy File (badword-policy.yaml):

rules:
  - rule_id: "word-hunter"
    meta:
          type: "simple"
          name: Word Detective
          author: VC
          severity: high
          description: The code includes prohibited terminology.
          reference:
            - https://owasp.org/www-project-code-review-guide/
          classification:
              cvss-score: 6.8
              cvss-metrics: AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
          tags: ["security-review", "terminology", "code-review"]

    simple:
        patterns:
          a: "access_token"
          b: "api_key"
          c: "password"
        condition: (a and c) or b

Performing Scans Based on Defined Policies:

fourclover policy -targetdir mytargetdir -policydir /path/to/policyfiles -out policy_scan_report.json

Policy-based scanning enables you to automate compliance checks and security assessments. By applying predefined rules, you can quickly identify files that violate policy conditions, ensuring adherence to security best practices.

Example Policy Scan Output File (policy_scan_report.json):

{
    "title": "Policy Report",
    "date": "2023-08-13T16:51:01+05:30",
    "working_dir": "mytargetdir",
    "summary": "Findings reported in the policy report are based on the policy rules defined in the policy file.",
    "findings": [
        {
            "rule_id": "word-hunter",
            "name": "Word Detective",
            "type": "simple",
            "description": "The code includes prohibited terminology.",
            "file_hash": "45f089de61c419b25277ed52f6d755f6688bc127627604a5aeb36ab79c22cbba",
            "file_path": "ibm/package.json",
            "references": [
                "https://owasp.org/www-project-code-review-guide/"
            ],
            "classification": [
                {
                    "cvss_score": 6.8,
                    "cvss_vector": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"
                }
            ],
            "tags": [
                "security-review",
                "terminology",
                "code-review"
            ]
        }
    ]
}

The output of a policy-based scan will provide detailed information about files that meet or violate the defined policy rules. This approach enhances your organization's security posture and minimizes manual compliance efforts.

PreviousInitiating a Comparison NextSecurity Analyst

Last updated 1 year ago

Was this helpful?

rules: - rule_id: "word-hunter" meta: type: "simple" name: Word Detective author: VC severity: high description: The code includes prohibited terminology. reference: - https://owasp.org/www-project-code-review-guide/ classification: cvss-score: 6.8 cvss-metrics: AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H tags: ["security-review", "terminology", "code-review"] simple: patterns: a: "access_token" b: "api_key" c: "password" condition: (a and c) or b

{ "title": "Policy Report", "date": "2023-08-13T16:51:01+05:30", "working_dir": "mytargetdir", "summary": "Findings reported in the policy report are based on the policy rules defined in the policy file.", "findings": [ { "rule_id": "word-hunter", "name": "Word Detective", "type": "simple", "description": "The code includes prohibited terminology.", "file_hash": "45f089de61c419b25277ed52f6d755f6688bc127627604a5aeb36ab79c22cbba", "file_path": "ibm/package.json", "references": [ "https://owasp.org/www-project-code-review-guide/" ], "classification": [ { "cvss_score": 6.8, "cvss_vector": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" } ], "tags": [ "security-review", "terminology", "code-review" ] } ] }