Creating Security Policies

You can create policies in Container Security for managing configurations, vulnerability management, compliance, access, and auditing in containerized environments, thus automating the process of securing images and containers. Policies provide a combination of rules that assess specific artifacts such as images, and containers, and provide actions associated with the rules.

Currently, only image assessment policies for CICD are available. You can define rules for scanning container images for known vulnerabilities before deployment and specify the actions to be taken if the count of vulnerabilities of specific severity is exceeded, such as blocking CICD build or triggering alerts.

  1. Go to Policies > Image Assessment, and click New Policy.
  2. On the Create New Policy page, enter the name and description for the policy.
  3. From the Type list, select the sensor type for the policy. Currently, only the CICD option is available. 
  4. Under Policy Mode, specify whether to activate and enforce this policy or not.

  5. In the Rules section, create policy rules.

    Currently, only one image assessment rule is available, which lets you specify the action to be taken if the count of vulnerabilities of specific severity is exceeded.

    • The rule name must be unique and comprised of more than one character.
    • You can create a maximum of 100 rules.
    • The rule name must not start with a numeral and must not contain only numerals.
    • The rule name must not contain a special character other than "_".
  6. In the Policy Assignment section, select a set of tags to apply the policy. Use the same tags while configuring your events or utilities. A policy that matches all the specified tags is evaluated during scanning. If the tags combination does not match, the default policy is applied.

    For a CICD pipeline, use the same tags as parameters when configuring the pipeline using the QScanner Utility.

    If a tag assigned to the policy is deleted from the platform, the policy mode is changed to Inactive.

  7. To set this policy as the default, turn on the toggle.

    The (Default) suffix is added to the name of the default policy.

    To set the current policy as the default policy, you first need to unset the existing default policy. If there is a default policy already available, its name is displayed in the user interface.

  8. Click Save.

    If the given combination of tags already exists in another policy, an error message is displayed and the policy is not saved.


 

 

Was this topic helpful?

success Thank you! We're glad to hear that this topic was useful.
success We appreciate your feedback. We'll work to make this topic better for you in the future.