Action policy templates
Learn about the predefined action policy templates and how to customize them.
Endor Labs provides the following action policy templates that you can use to quickly create action policies. Each policy template provides parameters to help you customize the conditions under which a policy action takes place.
Note: All action policy templates automatically only match new findings for PR scans. I.e. if the finding already exists in the baseline, then it is not considered to be a match. This of course assumes that there is a baseline to compare against (see the
--pr-baselineand/or--enable-pr-commentsoptions).
Custom Finding Attributes
Allows you to define a custom action policy based on the attributes of the finding. The following parameters are supported:
| Parameter | Description |
|---|---|
| Finding Name Contains | Specify full or partial, case insensitive, finding name to match for this policy. |
| Finding Category | Violate this policy only for a specific category of finding. |
| Finding Type | Violate this policy only for a specific type of finding. See Finding types. |
| Severity | Violate this policy only for specific finding severities. |
| Fix Availability | Only violate this policy if a patch is available in the upstream dependency. |
| Dependency Reachability | Only violate this policy on findings where a vulnerable dependency is reachable. |
| Function Reachability | Only violate this policy on findings where the vulnerable function of a vulnerable dependency is reachable. |
| Exclude Test | Exclude test dependencies from this policy. |
| Source Code Ecosystem | Define a specific ecosystem for which an action policy should apply. |
| Finding Meta Tag | Only match findings that have this meta tag (set by the policy that created the finding). Note that these are different and separate from the system-defined finding tags. |
| Exclude if Dependency Name Contains | Allows you to define full or partial, case-insensitive, dependency names for which an action policy should exclude. For example, you want to exclude a specific dependency from this policy. |
| Exclude if Package Name Contains | Allows you to define full or partial, case-insensitive, package names for which an action policy should exclude. This is the resource that the finding is raised against. For example, the package indirectly or directly includes an unmaintained dependency. |
| Exclude findings for transitive dependencies | Exclude findings for transitive dependencies that can only be reached via other projects. This helps your team to not take action when they do not have control of findings introduced by libraries your team developed. |
| Include CI/CD dependency findings | Select Yes to include findings related to CI/CD dependencies. Note that CI/CD dependency findings are different from CI/CD tool findings. CI/CD dependency findings are for vulnerabilities in CI/CD dependency versions, while CI/CD tool findings are for the usage of a given tool. Findings related to CI/CD tools are included by default. |
Finding types
Findings are classified into the following types when the packages scanned include:
| Finding Type | Description |
|---|---|
| Custom | Custom findings defined in custom policies. |
| Dependency With Low Activity Score | Low Endor activity score. |
| Dependency With Low Popularity Score | Low Endor popularity score. |
| Dependency With Low Quality Score | Low Endor quality score. |
| Dependency With Multiple Low Scores | More than one Low Endor Score. |
| Dependency With Very Low Activity Scores | Very low Endor activity score. |
| Dependency With Very Low Popularity Score | Very low Endor popularity score. |
| Dependency With Very Low Quality Score | Very low Endor quality score. |
| License Risk | Missing, unknown, restricted, or problematic licenses. |
| Malware Dependency | Known malicious dependencies reported by Open Source Vulnerabilities (OSV). |
| Malware OSS Review | Potentially suspicious code that needs review. |
| Missing Source Code | Associated source code is not auditable. |
| Outdated Dependency | Outdated code with older versions of the released dependencies. |
| Typosquatted Dependency | Dependencies with intentionally similar names to popular packages. |
| Unmaintained Dependency | Unmaintained dependencies introducing vulnerabilities. |
| Unpinned Dependency | Variable version specifications of dependencies. |
| Unused Dependency | Unused dependencies in the code. |
Detected Secrets
Allows you to define the action taken when a leaked secret is detected based on the validation status of the secret.
| Parameter | Description |
|---|---|
| Validation Status | Secret validation status: Valid, Invalid, or Unable to Validate. |
Outdated Releases
Matches findings based on older versions of software or dependencies and are not actively updated. The following parameters are supported:
| Parameter | Description |
|---|---|
| Dependency Reachability | Only violate this policy on findings where a vulnerable dependency is reachable. |
| Relationship | Allows you to exclude a direct or transitive dependency. |
| Exclude if Dependency Name Contains | Allows you to define full or partial, case-insensitive, dependency names for which an action policy should exclude. For example, you want to exclude a specific dependency from this policy. |
| Exclude if Package Name Contains | Allows you to define full or partial, case-insensitive, package names for which an action policy should exclude. This is the resource that the finding is raised against. |
| Exclude findings for transitive dependencies via other projects? | Exclude findings for transitive dependencies that can only be reached via other projects. This helps your team to not take action when they do not have control of findings introduced by libraries your team developed. |
| Exclude Test | Exclude test dependencies from this policy. |
| Source Code Ecosystem | Define a specific ecosystem for which an action policy should apply. |
Unmaintained dependencies
Matches findings based on dependencies that are no longer maintained or may have reached end-of-life. The following parameters are supported:
| Parameter | Description |
|---|---|
| Dependency Reachability | Only violate this policy on findings where a vulnerable dependency is reachable. |
| Relationship | Allows you to exclude a direct or transitive dependency. |
| Exclude if Dependency Name Contains | Allows you to define full or partial, case-insensitive, dependency names for which an action policy should exclude. For example, you want to exclude a specific dependency from this policy. |
| Exclude if Package Name Contains | Allows you to define full or partial, case-insensitive, package names for which an action policy should exclude. This is the resource that the finding is raised against. |
| Exclude findings for transitive dependencies via other projects? | Exclude findings for transitive dependencies that can only be reached via other projects. This helps your team to not take action when they do not have control of findings introduced by libraries your team developed. |
| Exclude Test | Exclude test dependencies from this policy. |
| Source Code Ecosystem | Define a specific ecosystem for which an action policy should apply. |
Unpinned direct dependencies
Matches findings based on direct dependencies that do not have a version or a range of versions specified. Supported configuration parameters for this action policy template are:
| Parameter | Description |
|---|---|
| Exclude if Dependency Name Contains | Allows you to define full or partial, case-insensitive, dependency names for which an action policy should exclude. For example, you want to exclude a specific dependency from this policy. |
| Exclude if Package Name Contains | Allows you to define full or partial, case-insensitive, package names for which an action policy should exclude. This is the resource that the finding is raised against. |
| Exclude findings for transitive dependencies via other projects? | Exclude findings for transitive dependencies that can only be reached via other projects. This helps your team to not take action when they do not have control of findings introduced by libraries your team developed. |
| Exclude Test | Exclude test dependencies from this policy. |
| Source Code Ecosystem | Define a specific ecosystem for which an action policy should apply. |
Unreachable direct dependencies
Matches findings based on dependencies that are not directly used or called within a project. Supported configuration parameters for this action policy template are:
| Parameter | Description |
|---|---|
| Exclude if Dependency Name Contains | Allows you to define full or partial, case-insensitive, dependency names for which an action policy should exclude. For example, you want to exclude a specific dependency from this policy. |
| Exclude if Package Name Contains | Allows you to define full or partial, case-insensitive, package names for which an action policy should exclude. This is the resource that the finding is raised against. |
| Exclude findings for transitive dependencies via other projects? | Exclude findings for transitive dependencies that can only be reached via other projects. This helps your team to not take action when they do not have control of findings introduced by libraries your team developed. |
| Exclude Test | Exclude test dependencies from this policy. |
| Source Code Ecosystem | Define a specific ecosystem for which an action policy should apply. |
Vulnerabilities
Matches findings that are vulnerabilities that meet specific parameters. The following parameters are supported:
| Parameter | Description |
|---|---|
| Dependency Reachability | Only violate this policy on findings where a vulnerable dependency is reachable. |
| Relationship | Allows you to exclude a direct or transitive dependency. |
| Exclude if Dependency Name Contains | Allows you to define full or partial, case-insensitive, dependency names for which an action policy should exclude. For example, you want to exclude a specific dependency from this policy. |
| Exclude if Package Name Contains | Allows you to define full or partial, case-insensitive, package names for which an action policy should exclude. This is the resource that the finding is raised against. |
| Exclude findings for transitive dependencies via other projects? | Exclude findings for transitive dependencies that can only be reached via other projects. This helps your team to not take action when they do not have control of findings introduced by libraries your team developed. |
| Exclude Test | Exclude test dependencies from this policy. |
| Source Code Ecosystem | Define a specific ecosystem for which an action policy should apply. |
| Severity | Violate this policy only for specific finding severities. |
| Fix Availability | Only violate this policy if a patch is available in the upstream dependency. |
| Function Reachability | Only violate this policy on findings where the vulnerable function of a vulnerable dependency is reachable. |
| EPSS Probability Threshold | Only match findings with an EPSS probability score equal to or higher than this threshold (0.00-1.00). The EPSS probability score represents the probability [0-1] of exploitation in the wild in the next 30 days following score publication. |
| EPSS Percentile Threshold | Only match findings with an EPSS percentile threshold equal to or higher than this threshold (0.00-100.00). The EPSS percentile threshold represents the percentile ranking among all vulnerabilities that a vulnerability will be exploited. |
| Include CI/CD dependency findings | Select Yes to include findings related to CI/CD dependencies. Note that CI/CD dependency findings are different from CI/CD tool findings. CI/CD dependency findings are for vulnerabilities in CI/CD dependency versions, while CI/CD tool findings are for the usage of a given tool. Findings related to CI/CD tools are included by default. |
Feedback
Was this page helpful? Send your feedback to support@endor.ai