Policy Management Overview

Policy Management is a mechanism for identifying security risks across projects and scans.

Organizations often handle hundreds or even thousands of projects that undergo daily scans, with each project generating distinct scan results. To pinpoint projects with specific types of results, security engineers must manually review and prioritize findings.

Organizations can easily detect projects that violate their established security rules by using policies. For example, an organization may want to understand whether specific projects contain high-severity findings from static code analysis or feature particular types of open-source packages, such as the recent log4j concerns.

Policy rules can be created for identifying risks across scanners. There are also specialized conditions that can be used to create policy rules for specific scanners. Currently, the scanners supported for Policy management are, SAST, SCA, IaC Security and Container Security.

Policy Management does not stop at identification alone; it enables organizations to develop automated responses for project violations, such as blocking a software build if it violates a policy.

Once a scan is completed, the policies associated with the respective projects are assessed. These policies are then matched against the findings from the scan results.

Checkmarx One generates and maintains an incident report containing details of projects that violated policies during the scan. In upcoming versions, automating email notifications regarding these violations will be possible.