Create policies
Last updated
Last updated
More information
Snyk privacy policy© 2024 Snyk Limited | All product and company names and logos are trademarks of their respective owners.
Snyk AppRisk includes a powerful policy editor for creating and modifying policies.
There are two steps to building policies:
Define filters - Set filter conditions on asset properties.
Set actions - Define actions to be taken on filtered assets.
You can create a new policy using the Start from scratch option or choose one of the available policy templates using the Use a template option.
To create a new policy, you have to click the New Policy option from the Policies/Assets view and select the Start from scratch option.
You must name your policy and, optionally, provide a description of the policy. After you complete these steps you have to define the filters and set the actions of your policy.
You can create a new policy by using one of the available templates. To select one of the policy templates, you have to click the New Policy option from the Policies/Assets view and select the Use a template option. You can select one of the templates from the templates library by clicking the Use template button from the policy template card.
Each policy template has a name, a description, and displays the graphic connections between filters and actions.
The following video explains how to use a policy template from the Policies view:
You can customize the filters and actions or use the template as is. After finishing all the template changes, click the Save button to create the new policy.
Release status
The risk factors on assets are taking the release status of the applied risk factor.
The Runtime discovered and Runtime last seen filters are taking the release status of the used runtime integration.
Each filter component requires you to specify an asset property. Navigate to the Filters capabilities page to view all available properties for asset policies.
The following video explains how to create a new policy:
Each property contains different options for conditions and values:
Application*
Is one of
Is not one of
all available applications for which you have configured the application context in Snyk AppRisk.
Asset ID
is
is not
contains
does not contain
starts with
ends with
[string]
Asset name
is
is not
contains
does not contain
starts with
ends with
[string]
Asset type
Is one of
Is not one of
Package
Repository
Scanned artifact
Attribute
is
is not
contains
does not contain
starts with
ends with
[string]
Catalog name*
Is one of
Is not one of
the list of names of your application context.
Category
Is one of
Is not one of
the list of the available categories of a repository asset
Class
Is one of
Is not one of
A, B, C, D
Coverage
containing one or more of
containing all of
not containing one or more of
not containing all of
Snyk Code, Container, IaC, Open Source
Coverage gap
containing one or more of
containing all of
not containing one or more of
not containing all of
Snyk Code, Container, IaC, Open Source
Developers
is
is not
contains
does not contain
starts with
ends with
[string]
Discovered
Is within
Is not within
Last 24 hours
Last 7 days
Last 30 days
Last 12 months
Year to date
Issue severity
containing one or more of
containing all of
not containing one or more of
not containing all of
Critical
High
Medium
Low
Issue source
containing one or more of
containing all of
not containing one or more of
not containing all of
Snyk Code, Container, IaC, Open Source, Nightfall
Last seen
Is within
Is not within
Last 24 hours
Last 7 days
Last 30 days
Last 12 months
Year to date
Lifecycle*
Is one of
Is not one of
the available list of the lifecycle states of the application context component
Locked attributes
is one of
is not one of
Class
Owner*
is one of
is not one of
the list of teams owning the repository for which the application context was configured.
Risk factors
containing one or more of
containing all of
not containing one or more of
not containing all of
the list of available risk factors
Runtime discovered
Is within
Is not within
Last 24 hours
Last 7 days
Last 30 days
Last 12 months
Year to date
Runtime last seen
Is within
Is not within
Last 24 hours
Last 7 days
Last 30 days
Last 12 months
Year to date
SCM Repository freshness
is one of
is not one of
Active
Inactive
Dormant
Source
is one of
is not one of
azure-devops
GitHub
GitLab
Snyk
Tags
containing one or more of
containing all of
not containing one or more of
not containing all of
all available tags you previously created
Title*
is one of
is not one of
the list with all the names of the component for which the application context was configured
*All filters marked with * are visible only to the users who configured the application context for their SCM integrations.
You can specify more than one filter component with an And or Or operator.
The following video explains the use of filters and the use of the And, Or operator.
After defining filter components, you need to define the actions that the policy has to perform on the filtered assets. Asset policies support the following actions:
Send Email - Receive an email every time there are asset updates. You can choose between daily emails or scheduling the checks. You can include a link to the relevant assets. Each notification lists all impacted assets. You can view them individually or see the aggregated view by clicking Click Here. The list of assets displayed in the email notification is automatically generated.
Send Slack Message - Receive a Slack notification every time there are asset updates. You need to add your Slack webhook URL, then you can choose between daily emails or scheduling the checks. You can include a link to the relevant assets. Each notification lists all impacted assets. You can view them individually or see the aggregated view by clicking Click Here. The list of assets displayed in the email notification is automatically generated.
Set Asset Class - Sets the class on the matched assets. Removing the policy or turning in off does not retroactively change the asset class back to default.
Set Asset Tag - Sets a tag on the matched assets. Removing the policy or turning in off will remove the tags of this policy from the relevant assets.
Set Coverage Control Policy - Sets a control on filtered assets that checks whether selected security products are scanning assets, optionally within a given timeframe. Assets that fail this control will be marked accordingly on inventory pages. This control applies the OR logic across products.
The editor supports multiple flows for the same policy. The flows can be independent or intersect.
