CI/CD Security Criteria

The security criteria prevent projects from advancing in the CI/CD pipeline when they do not meet these criteria. Kondukto's open-source CLI is available here, which is used to query if projects meet or fail their security criteria. Security criteria can be set at a global and project level.

The preset created globally and set as default is automatically applied in all projects. Other global presets can quickly import presets to projects by clicking the "Import Global Preset" button.

👍

If there is a global default preset, other criteria entered at the project level work alongside that global preset. If one of them fails, the project fails the security criteria.

Global presets imported to projects can be edited under projects. However, the changes will be applied only to the project-level criteria.

Criteria can be set separately for different scanner types (SAST, DAST, SCA, etc.) on a branch level. It is possible to specify multiple criteria for each scanner type. Even if one of the criteria is not met for a specific scanner type, it suffices for the project to fail its security criteria.

The impact of security criteria on the UI is that there is a red or green circle next to project names indicating whether security criteria have been met in the projects list. On the other hand, a grey circle suggests the security criteria feature has not been enabled for that project.

On the dashboard, tracking the number of projects failing their security criteria is also possible.

📘

Security criteria entered within project settings will take effect immediately. Security criteria entered at a global level, take effect either within 10 minutes or after one of the following events;

  • When a vulnerability is updated (by manually changing severity or by marking it as a false positive, won't fix or mitigated)
  • When a new scan is run, or a new file is imported

There are four options when setting security criteria;

  1. Set a numeric threshold for critical, high, and medium vulnerabilities. In the screenshot below, the project will not meet security criteria if a SAST scanner discovers two or more essential vulnerabilities of severity in the default branch.

  2. To enter a condition where security criteria are not met even if only one vulnerability matches the condition entered. Conditions can be entered by combining different conditions using "and" statements such as "When Owasp Top-10 Category is A1 Injection" and "When Severity is Medium or High."

Multiple selections within each condition function as an "OR" statement. In the example below, Kondukto will search for any vulnerabilities that fall into the OWASP A1-Injection category, have a High or Medium severity, and are overdue.

  1. To enter a required scan or file import which checks whether a scan run or file was imported in the last selected number of days.

🚧

When activated for the first time, Kondukto will update the security criteria status in 10 minutes and check if any projects fail this type of security criteria every 10 minutes.