Issue Criteria


It is possible to create issue criteria both at a global or project level.

Issue criteria apply to both AppSec and Infra vulnerabilities. However, specific criteria like OWASP Top-10 or CWE are more AppSec oriented and will not apply to most Infra vulnerabilities that lack this information.


Only one issue criteria entered at a global level can be set as default so that it is applied to all projects automatically. Default global issue criterion does not override the project level criteria but works alongside them.

So, suppose there is a default issue criterion entered at a global level, and a different one entered at a project level. In that case, Kondukto checks for both before deciding if any vulnerabilities need to be assigned an issue on the issue manager.

You can import other global issue criteria not set as default under the Issue Assignment section in Project Settings.

You can associate labels with global issue criteria. Suppose the same label related to a global issue criterion is added to a project. In that case, the global issue criterion associated with that label is automatically assigned to the project.

You can edit global issue criteria imported to projects under project settings. However, it will only apply changes made to the specific project, and global criteria will remain unchanged.


When Infra Group Name is added to the project, Issue Criteria runs when scanning is triggered on the added Infra Group Name.