This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Finding policies

Learn about finding policies and how to use them.

1: CI/CD tool policies

2: License policies

3: Open-source policies

4: SCPM policies

5: Secret policies

All findings are enabled, disabled and/or customized via policies. There are three types of Finding Policies:

Open-source software management - Enable or disable findings for Vulnerabilities and Malicious Packages, Outdated Dependencies, Unmaintained Dependencies, Unpinned Direct Dependencies, Unused Direct Dependencies, License Risks
Source code management system configuration - Enable, disable, or customize out-of-the-box policies source code posture management (SCPM)
Custom - Create custom policies from scratch or from pre-defined policy templates

Manage finding policies

To view, enable, disable, edit, or delete your Endor Labs policies:

Sign in to Endor Labs and select Policies from the left sidebar.
Use the search bar to search for a policy.
Enable or disable a policy using the toggle.
Select Hide Disabled to hide policies that are not enabled.
Use Finding Level to filter policies by Critical, High, Medium, or Low.
To delete a policy, click the vertical three dots and select Delete Policy.
To edit a policy, click on the vertical three dots and select Edit Policy.

Custom finding policies

Create custom finding policies to identify additional issues based on the needs of your organization. For example, you can create license violation policies to define the behavior for missing, unknown, problematic, or incompatible licenses. You can permit or restrict packages with certain license types.

Endor Labs provides finding policy templates for various use cases:

Create a finding policy from template

Create a finding policy from a pre-defined Endor Labs template.

Sign in to Endor Labs, and select Policies from the left sidebar.
Click Create Finding Policy.
Choose From Template to create a finding policy from template.
Choose a Policy Template from the list. The template details are pre-filled with recommended values on the form.
Severity, Summary, Explanation, Remediation, Finding Name, and Finding Categories are pre-populated with Endor Labs’ recommended values. You can modify them to suit your requirements.

Note
To ensure your modifications persist after upgrades, you must disable Enable Automatic Policy Updates from Endor Labs under Settings > Policy Settings. See also Configure system settings.
In Finding Meta Tags, enter tags that you want to associate with the findings of this policy. Meta tags can have a maximum of 63 characters and can contain letters, numbers, and characters = @ _ -. Note that these are different and separate from the system defined finding tags.
You can Assign Scope to the finding policy by specifying what projects the policy has to scan.
- In Inclusions, enter the tags of the projects that you want to scan.
- In Exclusions, enter the tags of the projects that you do not want to scan. Exclusions take precedence over the inclusions, in case of a conflict.
- Click the link to view the projects included in the finding policy scan.
  Note
  - You can set custom tags for your projects from Projects > Settings > Custom Tags. See also Tagging projects.
  - If your policy has both include and exclude tags, and a project matches both, the exclude tag takes precedence, and the policy will not apply to that project.
Name Your Finding Policy.
- Enter a human readable Name for your finding policy.
- Enter a Description for your finding policy that describes what it does.
- Enter any Policy Tags that you want to associate with your policy. Tags can have a maximum of 63 characters and can contain letters, numbers, and characters = @ _ -.
Advanced: When you define a policy you do so for the current namespace and all child namespaces. If you do not want the policy to be applied to any child namespaces, click Advanced and deselect Propagate this policy to all child namespaces.
Click Create Finding Policy. The policy will be enabled by default.

Create a finding policy from scratch

Write a finding policy from scratch using the OPA Rego policy language.

Sign in to Endor Labs, and select Policies from the left sidebar.
Click Create Finding Policy.
Choose From Scratch to author a finding policy from scratch.

Enter the Rego rule for the policy in Rego Definition. For instance, the following Rego rule identifies dependencies with an Endor Labs overall score lower than 7.

package examples

match_package_version_score[result] {
  some i, j
  data.resources.Metric[i].meta.name == "package_version_scorecard"
  data.resources.Metric[i].meta.parent_kind == "PackageVersion"
  data.resources.Metric[i].meta.parent_uuid == data.resources.PackageVersion[_].uuid
  score := data.resources.Metric[i].spec.metric_values["scorecard"].score_card.overall_score
  score < 7

  result = {
    "Endor": {
      "PackageVersion": data.resources.Metric[i].meta.parent_uuid
    },
    "Score": sprintf("%v", [score])
  }
}

Enter the OPA Query Statement to validate the rule in the following format: data.<package-name>.<function-name>. For the example above the query statement is data.examples.match_package_version_score.
Select the Resource Kinds required to evaluate the policy. For the example above the required resource kinds are PackageVersion and Metric.
In Group by Fields, if applicable, list which custom output fields to group the findings by in addition to the resource uuid. Use this optional field if you want to be able to raise multiple findings against the same finding target. For example, a repository version may have multiple exposed secrets and thus there are multiple findings of the same type for the same repository version. Note that you do not need to add all (or any) custom fields here, just the ones you want to be used to group the matches by.
Choose a Severity for the generated finding.
Enter a short Summary of the finding.
Enter an Explanation for the finding. You can include additional information or explain why this finding is important.
Describe how to mitigate the finding in Remediation.
Enter the Finding Name.
Select one or more categories for the finding in Finding Categories.
See steps 6-10 above under Create a finding policy from template

Note: Before creating the policy, the application verifies the Rego syntax and query statement. If validation fails and it’s not due to Rego syntax, the probable issue is that the query statement doesn’t match the Rego code. See also validate policy.

Available resource kinds

Every policy must specify the resource kinds it needs in order to execute the Rego logic. The following resource kinds are available. Requested resource kind records for the current scan are made available to the Rego code under data.resources.<ResourceKind>.

Resource Kind	API Documentation Link
Project	ProjectService
Repository	RepositoryService
RepositoryVersion	RepositoryVersionService
PackageVersion	PackageVersionService
Metric	MetricService
DependencyMetadata	DependencyMetadataService
LinterResult	LinterResultService

Finding targets

Findings are raised against finding targets. Findings targets have one of three resource kinds:

Repository (e.g. default branch protections)
RepositoryVersion (e.g. CI/CD coverage, secrets)
PackageVersion (e.g. vulnerabilities, scores, licenses)

Individual finding target records are identified by their universally unique identifier (uuid). The finding target record is the parent of the finding record.

Note: The finding target resource kind is PackageVersion for findings in the root package as well as for findings in its dependencies. A dependency PackageVersion record may or not be in the same namespace as the root package. The relationships between the root package and its dependencies is captured by the corresponding DependencyMetadata records. All DependencyMetadata records are children of the root PackageVersion record in the same namespace as the root PackageVersion.

Expected output format

All finding policies must generate the finding payload as JSON data, listing the finding target resource kind and UUID under “Endor” in the following format.

foo[result] {
  <match conditions>

  result = {
    "Endor": {
      <resource-kind>: <resource-uuid>
    },
    <custom-key>: <custom-value>
  }
}

Custom output fields

Custom key-value pairs are optional. The value is treated as a single string and must be formatted accordingly. If a custom key is specified in the Group by Fields list then the value is appended to the finding name (the key is not included). Example: SSL disabled for Webhook ID #444611302, where SSL disabled for Webhook is the value of the Finding Name field and ID #444611302 is the value of a custom key. Otherwise, both the key and the value are listed at the end of the finding summary on a new line for each pair. Example: Score: 4.10.

Validate policy

See the endorctl validate policy command for details on how to validate a custom policy and inspect the matches returned for a given project.

1 - CI/CD tool policies

Learn about the predefined finding policy templates for CI/CD tools used in your software development environment.

Policy templates for CI/CD tool detection

Endor Labs provides the following finding policy templates for detecting CI/CD tool usage. See Finding Policies for details on on how to create policies from policy templates.

Policy Template	Description	Severity
Unauthorized Tool Usage	Raise a finding if a repository uses a tool that is specifically not approved by the company policy.	Medium
Require Tool Category	Raise a finding if a repository does not have any tools in a required tool category.	Medium
Require Tool	Raise a finding if a required tool is not detected in a repository.	Medium

2 - License policies

Learn about the predefined finding policy templates for open source license risk management.

Policy templates for open source license detection

Endor Labs provides the following policy templates for detecting open source license usage. See Finding Policies for details on on how to create policies from policy templates.

Policy Template	Description	Severity
Permit only specified software licenses	Use this template to define an allowed list of software licenses permitted within your organization or a subset of projects. Endor Labs will raise findings when dependencies in packages or projects have licenses that are not on the allowed list.	Medium
Restricted software licenses	Use this template to define a blocked list of software licenses that should be restricted from use or only used within specific contexts within your organization. Endor Labs will raise findings when dependencies in packages or projects have licenses that are on the blocked list.	Medium
Restricted software license types	Use this template to create an organizational policy to restrict certain license types or limit a license type to specific contexts within an organization. This is useful to identify license risks and violations in 3rd party open source packages. The license type classification in this policy follows the industry best practice rules defined by Google license types.	Medium

3 - Open-source policies

Learn about the out-of-the-box finding policies for open source risk management.

Open source risk policies generally fall into one of several categories:

Vulnerabilities - Known vulnerabilities associated with a software component.
Operational Risk - Issues that may make it more expensive to address any application impacting bug, including a security vulnerability.
License Risk - Issues that may cause legal or compliance risk associated with your software.

Policies for open source risk management

Endor Labs comes with the following out-of-the-box finding policies to detect open source risks. See Finding Policies for details on on how to enable or disable out-of-the-box policies.

Policy	Description	Severity
Vulnerabilities	Vulnerabilities indicate security weaknesses or flaws in the dependencies used by a software project. They can pose risks to the overall security and stability of a project. Raises findings for projects where vulnerabilities are detected.	Critical
Flag Phantom Dependencies	Raise findings when dependencies are used in source code but not declared in the package’s manifest files. These dependencies are called phantom dependencies and are detected during the deep scan. They are not detected while performing the `--quick-scan`.	Medium
Outdated Dependencies	Outdated dependencies are software libraries, frameworks, or modules that are being used in a project but have newer versions available. They are usually superseded by newer releases that offer bug fixes, security patches, improved functionality, or better performance. Raises findings for projects with outdated software libraries, frameworks, or modules.	Medium
Unmaintained Dependencies	Unmaintained dependencies refer to external libraries, frameworks, or modules that are no longer actively maintained or supported by their developers. These dependencies may have reached end-of-life, without updates, bug fixes, security patches, or any form of support. Raises findings for projects with unmaintained packages.	Medium
Unpinned Direct Dependencies	Unpinned direct dependencies indicate the absence of a specific version or range of versions for a dependency. This can lead to potential issues because different versions of dependencies may introduce changes, bug fixes, or even breaking changes, which can impact the project’s behavior or stability. Raises findings for projects with unpinned dependencies.	Medium
Unused Direct Dependencies	Unused direct dependencies are listed in a project’s configuration or dependency file and are not utilized or referenced in the project’s source code. Raise findings for projects with unused direct dependencies.	Medium
Low Endor Activity Scores	Projects with low Endor Labs activity scores are less likely to be kept up to date. They are susceptible to software bugs and security risks. Raise findings for packages with low Endor Labs activity scores.	Low
Missing Source Code	If you cannot audit the source code associated with a software component, there is limited visibility that can result in operational and security risks. Raises findings for packages with missing source code.	Low
Low Endor Quality Scores	Projects with low Endor Labs quality scores are highly likely to be susceptible to security and operational risks. Raise findings for packages with low Endor Labs quality scores.	Low
Potential Typosquats	Typosquats is a malicious practice where a domain name closely resembles popular or legitimate domain names but contains typographical errors. This can deceive or exploit users who make mistakes while typing the intended website’s URL or package name. Raises findings for packages that contain potential typosquats.	Low
Low Endor Popularity Scores	A popularity score indicates how well the software component is being used by developers. Raise findings for repositories that have low popularity scores.	Low

4 - SCPM policies

Learn about the out-of-the-box finding policies for source code posture management (SCPM).

Strong information security practices are necessary to secure your open source code used in your development and delivery infrastructure.

Policies for source code posture management

Endor Labs comes with the following out-of-the-box policies that help you determine the effectiveness of your security practices. See Finding Policies for details on on how to enable, disable, or edit out-of-the-box policies.

Policy	Description	Severity
At least two administrators should be configured for a repository	Having fewer than two administrators for a repository may cause problems when the administrator is unavailable. A minimum of two administrators must be configured to meet this requirement.	Medium
Authorization to push or merge to protected branches should be limited	Limiting the authorization to push or merge code to protected branches is a best practice in software development workflows. By restricting access to protected branches, you maintain control over code changes and ensure that only authorized individuals can make modifications. Raises findings for repositories that do not enforce rules around merging code to protected branches.	Medium
Branch protection rules should be enforced on administrators	Enforcing branch protection rules on administrators is a best practice in software development workflows. By applying branch protection rules to administrators, you ensure that even privileged individuals follow the established processes and adhere to the same standards as other team members. Raises findings for repositories that do not enforce branch protection rules.	Medium
Branches should be up-to-date before merging	Ensuring that branches are up-to-date before merging is a best practice in software development. It avoids conflicts, helps in the early detection of issues, and maintains code coherence. Raise findings for repositories that do not enforce rules on branches to be up-to-date before merging.	Medium
Code owner review is required when a change affects owned code	Code owner review is a practice in software development where specific individuals or teams are designated as code owners for certain parts of the codebase. When a change is proposed that affects code owned by a particular individual or team, a code owner review is required before the change can be merged into the main codebase.	Low
Code owner should be configured for sensitive code	Code owner review is a best practice in software development workflows where specific individuals or teams are designated as code owners for certain parts of the codebase. When a change is proposed that affects code owned by a particular individual or team, a code owner review is required before the change can be merged into the main codebase. Raises findings for repositories that do not enforce code owner reviews.	Low
Comments should be resolved before merging	Resolving comments ensures that all feedback, questions, and issues raised during the code review process have been addressed satisfactorily before the code is considered ready for integration. Raises findings for repositories that do not resolve comments before merging.	Low
Commits should be signed for new changes	Requiring commits to be signed for new changes is a best practice in software development workflows. Commit signing involves using digital signatures to verify the authenticity and integrity of the commit. Raises findings for repositories that do not enforce signed commits.	Medium
Contributors should not approve their own changes	Robust code reviews are essential and contributors should not approve their own changes in a collaborative software development environment. Raises findings for repositories that do not enforce code reviews.	High
Dismissing Code Change Reviews should be restricted	Restricting the ability to dismiss code change reviews is a best practice in software development workflows. Dismissing code change reviews should be limited to specific cases and authorized individuals to ensure accountability, maintain code quality, and promote a collaborative and transparent review process. Raises findings for repositories that do not enforce rules around dismissing code reviews.	Medium
Ensure branch protection is enforced for the default branch	Branch protection rules allow you to set controls over your software development processes. The default branch for this repository has no branch protection rules and should be protected.	High
Force pushing code to protected branches should be restricted	Restricting the ability to force push code to protected branches is a best practice in software development workflows. Restricting this action helps maintain code integrity, accountability, and collaboration. Raises findings for repositories that do not enforce rules around pushing code to protected branches.	Medium
Linear commit history should be required	Linear comment history indicates a chronological sequence of commits made to a code repository. It provides a clear and chronological view of the code changes made to a repository, aiding in code navigation, collaboration, and bug tracking. Raises findings for repositories that do not have linear commit history.	Low
Missing Source Code	If you cannot audit the source code associated with a software component, there is limited visibility that can result in operational and security risks. Raises findings for packages with missing source code.	Low
Multi-Factor Authentication (MFA) should be required for external contributors	Multi-Factor Authentication adds an additional layer of security to access accounts or systems and prevents unauthorized access to code repositories. Raises findings for repositories that do not enforce MFA for external contributors.	High
Multi-Factor Authentication (MFA) should be required for organization members	Multi-Factor Authentication adds an additional layer of security to access accounts or systems and prevents unauthorized access to code repositories. Raises findings for repositories that do not enforce MFA for members in their organization.	High
Organization webhooks should use HTTPS	A webhook URL is used to send notifications, along with a payload, to designated internet endpoints. Given that the payload contains sensitive information, all webhooks must be directed toward endpoints secured by HTTPS.	Medium
Organization webhooks should use SSL verification	When Organization webhook SSL verification is disabled, GitHub is explicitly instructed not to verify the identity of of the remote server it is sending information to. This configuration bypasses standard security controls in the HTTP protocol, which are designed to prevent attackers from executing man in the middle attacks.	Low
Organizations should be verified	The Organization Verified badge on GitHub is a visual indicator that signifies an organization’s authenticity and official status. It helps users identify legitimate and trusted organizations on the GitHub platform. Raise findings for organizations that are not verified.	Low
Organizations should should have fewer than three owners	Organization administrators have the highest level of permissions, including the ability to add/remove collaborators, create or delete repositories, change branch protection policy, and convert to a publicly-accessible repository. Due to the permissive access granted to an organization administrator, it is highly recommended to have at most three administrator accounts.	Medium
Protected Branch Deletion should be blocked	Protecting branch deletion, especially for critical branches, is a best practice in software development workflows. Raises findings for repositories that do not enforce rules around protected branch deletion.	Medium
Repository webhooks should use HTTPS	A webhook URL is used to send notifications, along with a payload, to designated internet endpoints. Given that the payload contains sensitive information, all webhooks must be directed toward endpoints secured by HTTPS.	Medium
Repository webhooks should use SSL verification	When repository webhook SSL verification is disabled, GitHub is explicitly instructed not to verify the identity of of the remote server it is sending information to. This configuration bypasses standard security controls in the HTTP protocol, which are designed to prevent attackers from executing man in the middle attacks.	Low
Require a SECURITY.md file	A SECURITY.md outlines security practices, reporting procedures, and guidelines for handling security-related issues within a project. It is included in the root directory of software repositories. Raise finings for repositories that do not include a SECURITY.md file.	Low
Stale approvals should be dismissed	To prevent malicious code from being introduced into a codebase, it is important to have a robust approval process for code changes. When changes are made to a proposal, outdated approvals must be declined, and previously accepted code changes must be re-evaluated. The approval process should involve multiple reviewers, and organizations should also consider implementing automated code analysis and security testing.	Medium
Status checks should pass before merging new code	Ensuring that status checks pass before merging new code is a best practice in software development workflows. Status checks serve as automated checks or validations that assess the quality, integrity, and readiness of the code changes before they are merged into the main codebase. Raises findings for repositories that do not enforce status checks before merging new code.	Medium
Two informed reviews should be required for code changes	Requiring two informed reviews for code changes is a best practice in software development. It helps ensure that code changes are thoroughly examined, promotes collaboration, and increases the overall quality of the codebase. Raises findings for repositories that do not enforce two reviews for code changes.	Medium
Workflows should not be allowed to create and approve pull requests	Allowing workflows to create and approve pull requests within an organization can enable users to evade code-review protocols. Attackers could exploit this by establishing workflows that autonomously approve their pull requests and merge them discreetly. Consequently, they can introduce potentially harmful code into the production system.	High

5 - Secret policies

Learn about the out-of-the-box finding policies and templates for secret detection.

Policies for secret detection

Endor Labs comes with the following out-of-the-box finding policies to detect leaked secrets. See Finding Policies for details on on how to enable, disable, or edit out-of-the-box policies.

Note: The out-of-the-box secret policies can be deleted and re-created from the corresponding policy templates. See Policy templates for secret detection below.

Policy	Description	Severity
Valid Secrets	Scan the code for active secrets. When a secret is valid, it means that the secret meets the necessary criteria or requirements to be considered acceptable or legitimate within a given context. For example GitHub personal access tokens of an employee that are not yet expired and can be used to access an organization’s codebase.	Critical
Invalid Secrets	Scan the code for any secrets that are no longer valid.	Low
Secrets without validation rules	Detect secrets that cannot be validated either because there is no validator or the validation failed for any reason.	Medium

Policy templates for secret detection

Endor Labs provides the following finding policy templates for detecting secrets. See Finding Policies for details on on how to create policies from policy templates.

Policy Template	Description	Severity
Valid Secrets	Use this template to scan the code for active secrets. When a secret is valid, it means that the secret meets the necessary criteria or requirements to be considered acceptable or legitimate within a given context. For example GitHub personal access tokens of an employee that are not yet expired and can be used to access an organization’s codebase.	Critical
Invalid Secrets	Use this template to scan the code for any secrets that are no longer valid.	Low
Secrets without validation rules	Use this template to detect secrets that cannot be validated either because there is no validator or the validation failed for any reason.	Medium
Define custom secret token policy rules	Use this template to detect secrets in the code using a custom secret rule to detect secret of any service that may not be included in the other rules.	Critical