TABLE OF CONTENTS

Overview

Build Assurance Policies apply to the code repositories which meet the defined scope. They include controls that are evaluated on the results of code repository scans. After Build Assurance Policies are applied to the code repositories, Aqua determines whether a repository is compliant with the applicable Build Assurance Policies. 


This article explains the components in the Build Assurance Policies, and how to use the Aqua UI to create and manage them.


Build Assurance Policy components

A Build Assurance Policy consists of:

  • Scope: defines set(s) of code repositories to which the policy will be applied, by selecting resource type, property, and value
  • Controls: individual tests that are evaluated on the results of a scan as part of Build Assurance Policy
  • Enforcement Mode: select either Audit or Enforce to collect audit logs for the policy evaluation results or enforce code building if the policy fails the repository, respectively. If the relevant policy is in either Enforce or Audit mode, Aqua will log an audit event.



Scope

Scope imposes restrictions on the code repositories the Build Assurance Policy applies to. You can optionally configure a policy with a scope (for that policy only). Their purpose is to further limit the set of code repositories the policy applies to. (They might have no effect, but they cannot broaden the set of repositories.)


For example: A Build Assurance Policy might restrict policy compliance evaluation to the specific repositories or branches matching with the name given.


A common syntax is used for the definition of scope. The scope definition includes the following components:

  • One or more terms. Each term consists of a resource type, a property, and its value (in a few cases, two values must be specified).
  • The available resource types and properties in each resource type are explained in the Specific Scope Definition below.
  • Values cannot contain embedded spaces. If you do not know the exact value name, you can enter a few letters in the value so that all the values that match the combination of letters are added to the scope.
  • You can add multiple scope terms with operator AND only between them.

Example:


repository.name.insecure-app-demo AND scan.branch.develop


To define scope criteria while configuring a Build Assurance Policy:

  1. In the "Scope" section, define a scope term by using the drop-down lists, and the text boxes to enter the related value(s). Refer to the Specific Scope Definition below for all the available resource types and properties.
  2. Click Add to add multiple scope terms.


When you add each scope term, it will be added to the complete scope definition in the text box. Multiple scope terms are added with operator AND between them. 



Specific scope definition

The scope of a Build Assurance Policy can include the following properties against each resource type:

  • Resource: ID, Name
  • Scan: Branch


Controls

You can include the following controls in Build Assurance Policies:


ControlDescription
MisconfigurationsIn this control, you can add specific predefined checks after selecting provider and service.

This control fails the policy and blocks code building if the selected checks do not pass.
Misconfigurations by Check IDFails the policy and blocks code building, if the selected checks do not pass. You should enter check IDs manually from Aqua Vulnerability Database > Misconfiguration tab.
Misconfigurations by ServiceFails the policy if any check for the selected provider and service (e.g. S3 in AWS) in the control does not pass.
Misconfigurations by SeverityFails the policy if the severity of the detected misconfigurations is greater or equal to the selected value in this control.
Sensitive Data by SeverityFails the policy if the severity of the detected instances of sensitive data is greater or equal to the selected value in this control.
Vulnerabilities by SeverityFails the policy if the severity of the detected vulnerabilities is greater or equal to the selected value in this control.



Operations on Build Assurance Policies

Refer to Operations on Build Assurance Policies for more information on different operations such as how to create, modify, delete Policies, and so on.