Automation Rules
Automation rules can be created on a global level by admins.
Rule Details
There are three different types of rules which consist of; Vulnerability, SBOM and Scan.
Vulnerability
This tab can be used when actions need to be triggered based on the characteristics of vulnerabilities.
The "Condition" selection can be used for cases where actions will be triggered regardless of the number of vulnerabilities that match the condition.
The "Count" selection can be used when there is a need to define the minimum number of vulnerabilities that should match the condition before triggering the action (only CI/CD security criteria is available for this selection). Scanner type and branch (or default branch) fields are mandatory fields to fill out.
When a rule is created by filling out the fields, the number of vulnerabilities that will be affected by that rule is shown at the bottom.
SBOM
This tab can be used when actions need to be triggered based on the characteristics of SBOM components.
When a rule is created by filling out the fields, the number of SBOM components that will be affected by that rule is shown at the bottom.
Scan
This tab can be used when actions need to be triggered when a scan has not been run on projects for longer than desired.
The same section can be used to trigger an action when a vulnerability file has not been imported to projects. Since a scanner name is a mandatory field while importing vulnerabilities to Kondukto, in this case, the relevant scanner name used while importing files should be selected under the Scanner section.
Actions
There are four types of actions that can be triggered by a rule which are;
- Issue: Creating tickets on issue managers like Jira, Service Now etc.
- Alert: Creating alerts on Slack, Teams, Email etc.
- CI/CD: Creating security criteria to fail builds in CI/CD pipelines
- Suppression: Creating suppression rules for Kondukto to automatically suppress vulnerabilities
Suppression action can not be combined with other actions and as soon as it is enabled other actions will automatically be disabled and vice versa.
Each rule can be associated with certain actions as can be seen on the list below.
Type | Issue | Alert | CI/CD | Suppression |
---|---|---|---|---|
Vulnerability - Condition | Yes | Yes | Yes | Yes |
Vulnerability - Count | Not available | Not available | Yes | Not available |
SBOM | Not available | Yes | Yes | Not available |
Scan | Not available | Yes | Yes | Not available |
Apply To Section
Rules can either be applied on all projects as default, or be associated with certain projects using labels or teams.
By selecting the "None" option, it is also possible to create a rule on a global level without associating it with any projects but making it available for different teams to import to their projects under project settings.
Rules entered on the project level work alongside global rules and none of them override each other.
Issue Assignment Rules
Issue assignment rules can be created to make Kondukto automatically create tickets on issue managers for vulnerabilities that match the entered rule.
If there is a default issue criterion entered on a global level, and a different one entered on a project level, Kondukto checks for both before deciding if any vulnerabilities need to be assigned an issue on the issue manager.
Vulnerability based rules trigger an issue assignment action at the "Notifying" stage of a scan/import. This means that existing vulnerabilities on Kondukto will not be assigned an issue until the next time they are discovered by a scanner or imported manually.
It is possible to edit global issue rules imported to projects under project settings. However, those edits will only impact the specific project, and global rule will remain unchanged.
Alert Rules
Alerts can be created on internal communication tools for certain cases defined on Kondukto.
Vulnerability based rules trigger an alert at the "Notifying" stage of a scan/import. Rules that contain "WOE" or "Overdue" fields keep triggering every 30 minutes.
SBOM based rules trigger an alert at the next SBOM component creation cycle.
Scan based rules trigger an alert every day.
CI/CD Security Criteria
CI/CD Security Criteria can be used to fail builds in CI/CD pipelines and projects failing their CI/CD Security Criteria can easily be tracked on global and product-level dashboards.
Scan based rules trigger CI/CD security criteria checks every 24 hours.
Vulnerability based rules trigger CI/CD security criteria checks every 10 minutes.
SBOM based rules trigger CI/CD security criteria checks in every SBOM component scan.
Suppression Rules
Suppression rules automatically suppress vulnerabilities matching the entered condition.
The rule becomes effective immediately and impacts existing vulnerabilities.
The rule keep running in the "Analyzing" stage of each scan going forward to suppress vulnerabilities discovered in future scans.
Updated 11 months ago