Skip to main content
Endor Labs provides the following action policy templates that you can use to quickly create action policies. Each policy template provides parameters to help you customize the conditions under which a policy action takes place.
All action policy templates automatically only match new findings for PR scans, assuming that there is a baseline that the scan results can be compared to. If the finding already exists in the baseline, then it is not considered to be a match. See PR baseline and PR comments to learn more.
The following template categories are available:

Container

Use these templates to define actions for findings related to container images, including vulnerabilities in base images, installed packages, and container configurations.

Containers

Matches container findings for vulnerabilities that meet specific parameters. The following table describes the parameters.

Custom (Advanced)

Allows you to define a custom action policy based on the attributes of the finding. The following table describes the parameters.

Finding categories

Findings are classified into one or more of the following categories:

Finding types

Findings are classified into the following types when the packages scanned include:

GitHub Actions

Use this template to match findings from GitHub Actions workflows, such as risky action usage or supply chain issues in your CI configuration. Ensure the relevant GitHub Action finding policies are enabled so Endor Labs raises these findings. The following table describes the parameters.

Malware

Allows you to define the action policy to apply when a malware finding is detected, depending on its status, relationship to root packages, and ecosystem. The following table describes the parameters.

SAST

Allows you to define the action taken when a SAST finding is raised.

SCA

Use these templates to define actions for Software Composition Analysis (SCA) findings, including vulnerabilities, outdated dependencies, unmaintained packages, license risks, and other issues in your open-source dependencies.

Containers

Matches container findings for vulnerabilities that meet specific parameters. The following table describes the parameters.

Custom (Advanced)

Allows you to define a custom action policy based on the attributes of the finding. The following table describes the parameters.

Malware

Allows you to define the action policy to apply when a malware finding is detected, depending on its status, relationship to root packages, and ecosystem. The following table describes the parameters.

Outdated Releases

Matches findings based on older versions of software or dependencies and are not actively updated. The following parameters are supported:

Recently Released Dependencies (cooldown)

Matches findings for recently released dependencies. Supported configuration parameters for this action policy template are:

Unmaintained Dependencies

Matches findings based on dependencies that are no longer maintained or may have reached end-of-life. The following parameters are supported:

Unpinned Direct Dependencies

Matches findings based on direct dependencies that do not have a version or a range of versions specified. Supported configuration parameters for this action policy template are:

Unreachable Direct Dependencies

Matches findings based on dependencies that are not directly used or called within a project. Supported configuration parameters for this action policy template are:

Vulnerabilities

Matches findings that are vulnerabilities that meet specific parameters. The following table describes the parameters.

Secrets

Allows you to define the action taken when a leaked secret is detected based on the validation status of the secret.

Security Review

Use these templates to define actions for security review findings that require manual assessment or additional analysis before taking action. Match security review findings. The following parameters are supported:

Vulnerabilities

Use these templates to define actions for vulnerability findings, including CVEs, security advisories, and known exploits in your dependencies based on severity, exploitability, and fix availability.

Containers

Matches container findings for vulnerabilities that meet specific parameters. The following table describes the parameters.

Custom (Advanced)

Allows you to define a custom action policy based on the attributes of the finding. The following table describes the parameters.

Vulnerabilities

Matches findings that are vulnerabilities that meet specific parameters. The following table describes the parameters.