Security Criteria

It is possible to create security criteria at a global or project level.

Only one security criteria entered at a global level can be set as default so that it is applied to all projects automatically.

Default global security criterion does not override the project level criteria but works alongside them.

So, suppose there is a default security criterion entered at a global level and a different one at a project level. In that case, Kondukto checks for both before deciding if the project meets or fails security criteria.

Other global security criteria not set as default can be imported under the Security Criteria section in each project's settings.

Once security criteria are entered within global settings, they will take effect either within 10 minutes or after one of the following events;

When a vulnerability is updated (by manually changing severity or by marking it as a false positive or won't fix)
When a new scan is run, or a new file is imported

Labels can be associated with global security criteria. If the same label related to a global security criterion is added to a project, the global security criterion associated with that label is automatically assigned to the project.

Global security criteria imported to projects can be edited under project settings. However, changes made will only be applied to the specific project, and global criteria will remain unchanged.