The -targetdir option specifies the directory to be scanned.
The -policydir option specifies the directory containing policy files.
The -out option specifies the output file for the policy scan report.
Example Policy File (badword-policy.yaml):
rules: - rule_id:"word-hunter"meta:type:"simple"name:Word Detectiveauthor:VCseverity:highdescription:The code includes prohibited terminology.reference: - https://owasp.org/www-project-code-review-guide/classification:cvss-score:6.8cvss-metrics:AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:Htags: ["security-review","terminology","code-review"]simple:patterns:a:"access_token"b:"api_key"c:"password"condition:(a and c) or b
Policy-based scanning enables you to automate compliance checks and security assessments. By applying predefined rules, you can quickly identify files that violate policy conditions, ensuring adherence to security best practices.
Example Policy Scan Output File (policy_scan_report.json):
{"title":"Policy Report","date":"2023-08-13T16:51:01+05:30","working_dir":"mytargetdir","summary":"Findings reported in the policy report are based on the policy rules defined in the policy file.","findings": [ {"rule_id":"word-hunter","name":"Word Detective","type":"simple","description":"The code includes prohibited terminology.","file_hash":"45f089de61c419b25277ed52f6d755f6688bc127627604a5aeb36ab79c22cbba","file_path":"ibm/package.json","references": ["https://owasp.org/www-project-code-review-guide/" ],"classification": [ {"cvss_score":6.8,"cvss_vector":"AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" } ],"tags": ["security-review","terminology","code-review" ] } ]}
The output of a policy-based scan will provide detailed information about files that meet or violate the defined policy rules. This approach enhances your organization's security posture and minimizes manual compliance efforts.
