The security criteria prevent projects from advancing in the CI/CD pipeline when they do not meet these criteria. Kondukto's open-source CLI is available here, which is used to query if projects meet or fail their security criteria. Security criteria can be set at a global and project level.
The preset created at a global level and set as default is automatically applied in all projects. Other global presets can be used to quickly import presets to projects by clicking the "Import Global Preset" button. If there is a global default preset, other criteria entered at the project level work alongside that global preset. If one of them fails, the project fails the security criteria. Global presets imported to projects can be edited under projects. However, the changes will be applied only to the project-level criteria.
Criteria can be set separately for different scanner types on a branch level. It is possible to specify multiple criteria for each scanner type. Even if one of the criteria is not met for a specific scanner type, it suffices for the project to fail its security criteria. The impact of security criteria on the UI is that in the projects list, there is a red or green circle next to project names indicating whether security criteria have been met or not. A grey circle, on the other hand, suggests the security criteria feature has not been enabled for that project.
On the dashboard, it is also possible to track the number of projects failing their security criteria. Once security criteria are entered within project settings, they will take effect immediately. Once security criteria are entered within global settings, they will take effect either within 10 minutes or after one of the following events;
When a vulnerability is updated (by manually changing severity or by marking it as a false positive or won't fix)
When a new scan is run, or a new file is imported
There are four options when setting security criteria;
- Set a numeric threshold for critical, high, and medium vulnerabilities. In the screenshot below, the project will not meet security criteria if a SAST scanner discovers two or more critical severity vulnerabilities in the master branch.
- To decide based on the risk score to ensure the risk score of a particular scan does not increase in the future. When this option is selected, Kondukto compares the risk score of the latest scan against the scan with the same scanner and branch with the lowest risk score.
When the trend option is selected, Kondukto waits for the first scan to produce green light on the project. Only after the second scan does getting a red light becomes a possibility.
For example, let's assume a SAST scan run with Find Security Bugs on the master branch had a risk score of 124. In the future, the security criteria will fail when another scan with Find Security Bugs on the same branch has a risk score above 124.
- To enter a condition where security criteria are not met even if there is only one vulnerability that matches the condition entered. Conditions can be entered by combining different conditions using "and" statements such as "When Owasp Top-10 Category is A1 Injection" and "When Severity is Medium or High."
Multiple selections within each condition function as an "OR" statement. In the example below, Kondukto will search for any vulnerabilities that fall into the OWASP A1-Injection category and have a High or Medium severity and has I (Information Disclosure) type of risks in the STRIDE category.
- To enter a required scan or file import which checks whether a scan run or file was imported in the last selected number of days.
When activated for the first time, Kondukto will update the security criteria status in 10 minutes and check if any projects fail this type of security criteria every 10 minutes.
Updated 6 months ago