> ## Documentation Index > Fetch the complete documentation index at: https://docs.endorlabs.com/llms.txt > Use this file to discover all available pages before exploring further. ## Submitting Feedback If you encounter incorrect, outdated, or confusing documentation on this page, submit feedback: POST https://docs.endorlabs.com/feedback ```json { "path": "/platform-administration/policies/action-policies/templates/index", "feedback": "Description of the issue" } ``` Only submit feedback when you have something specific and actionable to report. # Action policy templates > Learn about the predefined action policy templates and how to customize them. export const YamlTable = ({children, data: propData, content}) => { const KV_RE = /^([A-Za-z][A-Za-z0-9_()/#\s-]+?):\s*(.+)$/; const INLINE_MD_RE = /(\[([^\]]+)\]\(([^)]+)\))|(`([^`]+)`)|(\*\*([^*]+)\*\*)|(\*([^*]+)\*)/g; const YES_RE = /^-yes-$/i; const NO_RE = /^-no-$/i; const LIMITED_RE = /^-(limited|partial)-$/i; const SIMPLE_TAG_RE = /()|()|(-note-)|(-warning-)/gi; const tryParseKV = trimmed => { const m = KV_RE.exec(trimmed); return m ? { key: m[1], value: m[2].trim() } : null; }; const registerKey = (key, seenKeys, orderedKeys) => { if (!seenKeys.has(key)) { orderedKeys.push(key); seenKeys.add(key); } }; const flushEntry = (currentEntry, entries) => { if (Object.keys(currentEntry).length > 0) entries.push(currentEntry); }; const parseDashPrefixed = (lines, entries, orderedKeys, seenKeys) => { let currentEntry = {}; let inEntry = false; for (const line of lines) { const trimmed = line.trim(); if (trimmed.startsWith('- ')) { if (inEntry) entries.push(currentEntry); currentEntry = {}; inEntry = true; const kv = tryParseKV(trimmed.substring(2).trim()); if (kv) { registerKey(kv.key, seenKeys, orderedKeys); currentEntry[kv.key] = kv.value; } } else if (inEntry && trimmed !== '') { const kv = tryParseKV(trimmed); if (kv) { registerKey(kv.key, seenKeys, orderedKeys); currentEntry[kv.key] = kv.value; } } } flushEntry(currentEntry, entries); }; const parseBlankSeparated = (lines, entries, orderedKeys, seenKeys) => { let currentEntry = {}; let inEntry = false; for (const line of lines) { const trimmed = line.trim(); if (trimmed === '') { if (inEntry) { flushEntry(currentEntry, entries); currentEntry = {}; inEntry = false; } continue; } const kv = tryParseKV(trimmed); if (!kv) continue; const isNewEntry = !line.startsWith(' ') && !line.startsWith('\t'); if (isNewEntry && inEntry && Object.keys(currentEntry).length > 0) { entries.push(currentEntry); currentEntry = {}; } registerKey(kv.key, seenKeys, orderedKeys); currentEntry[kv.key] = kv.value; inEntry = true; } flushEntry(currentEntry, entries); }; const normalizeEntries = (entries, orderedKeys) => entries.map(entry => { const filled = {}; for (const key of orderedKeys) filled[key] = entry[key] || ''; return filled; }); const parseYamlTableContent = contentStr => { if (!contentStr) return []; const entries = []; const orderedKeys = []; const seenKeys = new Set(); const lines = contentStr.split('\n'); if (lines.some(line => line.trim().startsWith('- '))) { parseDashPrefixed(lines, entries, orderedKeys, seenKeys); } else { parseBlankSeparated(lines, entries, orderedKeys, seenKeys); } return normalizeEntries(entries, orderedKeys); }; const processText = text => { if (!text) return text; const parts = []; let keyIndex = 0; let lastIndex = 0; let match; while ((match = INLINE_MD_RE.exec(text)) !== null) { if (match.index > lastIndex) parts.push(text.slice(lastIndex, match.index)); if (match[1]) { parts.push({match[2]}); } else if (match[4]) { parts.push({match[5]}); } else if (match[6]) { parts.push({match[7]}); } else if (match[8]) { parts.push({match[9]}); } lastIndex = match.index + match[0].length; } if (lastIndex < text.length) parts.push(text.slice(lastIndex)); if (parts.length === 0) return text; const keyRef = { current: keyIndex }; return expandHtmlTags(parts, keyRef); }; const processBadges = text => { if (!text || typeof text !== 'string') return text; if (YES_RE.test(text)) return ; if (NO_RE.test(text)) return ; if (LIMITED_RE.test(text)) return ; return processText(text); }; const expandSimpleTags = (str, keyRef) => { const result = []; let last = 0; SIMPLE_TAG_RE.lastIndex = 0; let m; while ((m = SIMPLE_TAG_RE.exec(str)) !== null) { if (m.index > last) result.push(str.slice(last, m.index)); if (m[1]) { result.push(
); } else if (m[2]) { result.push(
,
); } else if (m[3]) { result.push(Note: ); } else if (m[4]) { result.push(Warning: ); } last = m.index + m[0].length; } if (last < str.length) result.push(str.slice(last)); return result; }; const expandHtmlTags = (chunks, keyRef) => { const out = []; for (const chunk of chunks) { if (typeof chunk === 'string') { out.push(...expandSimpleTags(chunk, keyRef)); } else { out.push(chunk); } } return out; }; const extractText = node => { if (node === null || node === undefined) return ''; if (typeof node === 'string') return node; if (typeof node === 'number') return String(node); if (typeof node === 'boolean') return ''; if (Array.isArray(node)) return node.map(extractText).join(''); if (node && typeof node === 'object' && node.type) { const props = node.props || ({}); if (typeof props.children === 'string') return props.children; if (props.children) return extractText(props.children); return ''; } return String(node || ''); }; const [mounted, setMounted] = useState(false); useEffect(() => { setMounted(true); }, []); const data = useMemo(() => { if (propData) return propData; if (content && typeof content === 'string') return parseYamlTableContent(content); if (!children) return []; if (typeof children === 'string') return parseYamlTableContent(children); const childrenArray = Array.isArray(children) ? children : [children]; return parseYamlTableContent(childrenArray.map(extractText).join('').trim()); }, [children, propData, content]); const columns = useMemo(() => { if (!data || data.length === 0) return []; const firstRow = data[0]; if (!firstRow || typeof firstRow !== 'object') return []; return Object.keys(firstRow); }, [data]); if (!mounted) return null; if (!data || data.length === 0) return null; const rowKey = row => columns.map(c => row[c] || '').join('|'); return {columns.map(col => )} {data.map(row => {columns.map(col => )} )}
{col.replaceAll('_', ' ')}
{processBadges(row[col])}
; }; Endor Labs provides the following action policy templates that you can use to quickly create action policies. Each policy template provides parameters to help you customize the conditions under which a policy action takes place. All action policy templates automatically only match new findings for PR scans, assuming that there is a baseline that the scan results can be compared to. If the finding already exists in the baseline, then it is not considered to be a match. See [PR baseline](/developers-api/cli/commands/scan#pull-request-ci-flags) and [PR comments](/scan/pr-scans/pr-comments#enable-pr-comments) to learn more. The following template categories are available: * [Container](#container) * [GitHub Actions](#github-actions) * [Malware](#malware) * [SAST](#sast) * [SCA](#sca) * [Secrets](#secrets) * [Security Review](#security-review) * [Vulnerabilities](#vulnerabilities) ## Container Use these templates to define actions for findings related to container images, including vulnerabilities in base images, installed packages, and container configurations. ### Containers Matches container findings for vulnerabilities that meet specific parameters. The following table describes the parameters. {` - Parameter: Vulnerability ID Description: Full vulnerability identifier. For example, CVE-2024-3727 or GHSA-qh2h-chj9-jffq (case insensitive). - Parameter: Severity Description: Only match findings with this severity. - Parameter: Fix Availability Description: Select **Fix Available** to only match findings if a patch is available to fix the issue in the dependency. - Parameter: Relationship Description: Select **Direct Dependency** to only match findings for direct dependencies, or **Transitive Dependency** to only match findings for transitive dependencies. - Parameter: EPSS Percentile Threshold Description: Only match findings with an EPSS percentile threshold equal to or higher than this threshold (0.00-100.00). The EPSS percentile threshold represents the percentile ranking among all vulnerabilities that attackers will exploit a vulnerability. - Parameter: EPSS Probability Threshold Description: Only match findings with an EPSS probability score equal to or higher than this threshold (0.00-1.00). The EPSS probability score represents the probability [0-1] of exploitation in the wild in the next 30 days following score publication. - Parameter: Exploited Description: Only match findings for CVEs listed in the Known Exploited Vulnerabilities (KEV) database. - Parameter: Ecosystem Description: Match finding ecosystem. - Parameter: Exclude if Dependency Name Contains Description: Allows you to define full or partial dependency names for which an action policy should exclude. For example, you want to exclude a specific dependency from this policy. - Parameter: Exclude if Package Name Contains Description: Allows you to define full or partial package names for which an action policy should exclude. This is the resource that the finding is raised against. For example, the package indirectly or directly includes an unmaintained dependency. - Parameter: Exclude findings for transitive dependencies via other projects Description: Exclude findings for transitive dependencies reachable only through other projects. This helps your team to not act when they do not have control of findings introduced by libraries your team developed. - Parameter: Branch Type Description: Only match findings for this branch type. Set to **Default** to match findings for the default branch. Set to **Ref** to match findings for reference (non-default) branches. Set to **Pull Request** to match findings for pull requests. The **Send Notification** action does not apply to pull requests, as notifications are only processed for monitored branches. `} ### Custom (Advanced) Allows you to define a custom action policy based on the attributes of the finding. The following table describes the parameters. {` - Parameter: Finding Name Description: Match full or partial finding name. - Parameter: Category Description: Match finding category. - Parameter: Type Description: Match finding type. - Parameter: Severity Description: Match finding severity. - Parameter: Fix Availability Description: Select **Fix Available** to only match findings if a patch is available to fix the issue in the dependency. - Parameter: Relationship Description: Select **Direct Dependency** to only match findings for direct dependencies, or **Transitive Dependency** to only match findings for transitive dependencies. - Parameter: Dependency Reachability Description: Select **Reachable Dependency** and **Potentially Reachable Dependency** to only match findings where the vulnerable dependency is reachable. - Parameter: Function Reachability Description: Select **Reachable Function** and **Potentially Reachable Function** to only match findings where the vulnerable function is reachable. - Parameter: Exclude Test Description: Select **Yes** to exclude test dependencies. - Parameter: Ecosystem Description: Match finding ecosystem. - Parameter: Custom Tag Description: Only match findings that have this custom tag (set by the policy that created the finding or using the \`--finding-tags\` CLI option). Note that these are different and separate from the system-defined finding tags. - Parameter: Include Path Description: Only match findings for dependencies or files that match this glob style file pattern. For example, \`src/golang/**\`. - Parameter: Exclude Path Description: Do not match findings for dependencies or files that match this glob style file pattern. For example, \`src/golang/**\`. - Parameter: Exclude if Dependency Name Contains Description: Allows you to define full or partial dependency names for which an action policy should exclude. For example, you want to exclude a specific dependency from this policy. - Parameter: Exclude if Package Name Contains Description: Allows you to define full or partial package names for which an action policy should exclude. This is the resource that the finding is raised against. For example, the package indirectly or directly includes an unmaintained dependency. - Parameter: Exclude findings for transitive dependencies via other projects Description: Exclude findings for transitive dependencies that can only be reached through other projects. This helps your team to not act when they do not have control of findings introduced by libraries your team developed. - Parameter: Include GitHub Action findings Description: Select **Yes** to include findings for GitHub action dependencies. - Parameter: Include Container findings Description: Select **Yes** to include findings for container dependencies. - Parameter: Branch Type Description: Only match findings for this branch type. Set to **Default** to match findings for the default branch. Set to **Ref** to match findings for reference (non-default) branches. Set to **Pull Request** to match findings for pull requests. Note that the **Send Notification** action does not apply to pull requests, as notifications are only processed for monitored branches. - Parameter: Code Owner Description: Only match findings with this code owner. For example, \`@octocat\` or \`@octocat-team\`. Case-insensitive exact matches only, no partial or approximate (fuzzy) matches. If a finding does not have a code owner, it is not matched by the policy. Code owners are automatically assigned to findings based on the \`CodeOwners\` object for the project, which is generated from the CODEOWNERS file in the default branch of the repository. For projects without a CODEOWNERS file, the \`CodeOwners\` object can be managed through the API. `} #### Finding categories Findings are classified into one or more of the following categories: {` - Category: AI Models Description: AI model related findings. See [AI model policies](/secure-ai-coding/ai-model-discovery/ai-model-policies) for details. - Category: CI/CD Description: Umbrella category for CI/CD pipeline findings including GitHub action and CI/CD tool findings. - Category: Container Description: Container related findings. See [Container policies](/platform-administration/policies/finding-policies/container-policies) for details. - Category: GitHub Actions Description: GitHub Action dependency findings. See [GitHub Action policies](/platform-administration/policies/finding-policies/github-action-policies) for details. - Category: License Risk Description: License related findings. See [License policies](/platform-administration/policies/finding-policies/license-policies) and [Open-source policies](/platform-administration/policies/finding-policies/oss-policies) for details. - Category: Malware Description: Malware findings. - Category: Operational Description: Umbrella category for operational issues including license risks, low dependency scores, outdated dependencies, recently released dependencies, unpinned dependencies, unreachable dependencies, unmaintained dependencies, and CI/CD findings. - Category: RSPM Description: Repository security posture management (RSPM) related findings. See [RSPM policies](/platform-administration/policies/finding-policies/managing-scm-configuration) for details. - Category: SAST Description: Static Application Security Testing (SAST) related findings. - Category: SCA Description: Umbrella category for Software Composition Analysis (SCA) related findings for software packages and their dependencies. Does not include AI model, Container, or CI/CD findings. - Category: Secrets Description: Findings for exposed secrets such as passwords or access tokens. See [Secret policies](/platform-administration/policies/finding-policies/secret-policies) for details. - Category: Security Description: Umbrella category for security issues including vulnerabilities, malware, phantom dependency, missing source code, SAST, secrets, and typosquatting findings. - Category: Supply Chain Description: Umbrella category for supply chain issues including malware, typosquatting, license risk, and AI model findings. - Category: Vulnerability Description: Vulnerability findings. `} #### Finding types Findings are classified into the following types when the packages scanned include: {` - Type: Custom Description: Custom findings defined in custom policies. - Type: Dependency With Low Activity Score Description: Low Endor activity score. - Type: Dependency With Low Popularity Score Description: Low Endor popularity score. - Type: Dependency With Low Quality Score Description: Low Endor quality score. - Type: Dependency With Multiple Low Scores Description: More than one Low Endor Score. - Type: Dependency With Very Low Activity Scores Description: Very low Endor activity score. - Type: Dependency With Very Low Popularity Score Description: Very low Endor popularity score. - Type: Dependency With Very Low Quality Score Description: Very low Endor quality score. - Type: License Risk Description: Missing, unknown, restricted, or problematic licenses. - Type: Malware Dependency Description: Known malicious dependencies reported by Open Source Vulnerabilities (OSV). - Type: Malware OSS Review Description: Potentially suspicious code that needs review. - Type: Missing Source Code Description: Associated source code is not auditable. - Type: Outdated Dependency Description: Outdated code with older versions of the released dependencies. - Type: Recently Released Dependency Description: Dependencies with newer versions than the configured cooldown period. - Type: Typosquatted Dependency Description: Dependencies with intentionally similar names to popular packages. - Type: Unmaintained Dependency Description: Unmaintained dependencies introducing vulnerabilities. - Type: Unpinned Dependency Description: Variable version specifications of dependencies. - Type: Unused Dependency Description: Unused dependencies in the code. `} ## GitHub Actions Use this template to match findings from GitHub Actions workflows, such as risky action usage or supply chain issues in your CI configuration. Ensure the relevant [GitHub Action finding policies](/platform-administration/policies/finding-policies/github-action-policies) are enabled so Endor Labs raises these findings. The following table describes the parameters. {` - Parameter: Finding Name Description: Only match findings with one of these finding names. Defaults to \`Unpinned direct dependency\`, \`Untrusted code checkout\`, and \`Imposter commit\`. - Parameter: Severity Description: Only match findings that have this severity level. - Parameter: Custom Tag Description: Only match findings that have this custom tag (set by the policy that created the finding or using the \`--finding-tags\` CLI option). These are different and separate from the system-defined finding tags. - Parameter: Branch Type Description: Only match findings for this branch type. Set to **Default** to match findings for the default branch. Set to **Ref** to match findings for reference (non-default) branches. Set to **Pull Request** to match findings for pull requests. Set to **Any** to match findings for all branch types. The **Send Notification** action does not apply to pull requests, as notifications are only processed for monitored branches. `} ## Malware Allows you to define the action policy to apply when a malware finding is detected, depending on its status, relationship to root packages, and ecosystem. The following table describes the parameters. {` - Parameter: Status Description: Select the status of malware finding such as **Malware** for confirmed malware, **Telemetry** if the package is not always malicious but may expose environment details, or **Unhealthy** if the package appears broken or non-functional. - Parameter: Relationship Description: Select **Direct Dependency** to only match findings for direct dependencies, or **Transitive Dependency** to only match findings for transitive dependencies. - Parameter: Ecosystem Description: Match finding ecosystem. - Parameter: Exclude Test Description: Select **Yes** to exclude test dependencies from this policy. - Parameter: Exclude Approximate Description: Select **Yes** to exclude approximate dependencies from this policy. `} ## SAST Allows you to define the action taken when a SAST finding is raised. {` - Parameter: Severity Description: Only match findings that have this severity level. - Parameter: Confidence Description: Only match findings for SAST rules with this confidence level. - Parameter: Language Description: Only match findings for this SAST result language. - Parameter: SAST Tag Description: Only match findings that have this SAST tag. For example, \`A01:2021\` or \`Cryptographic-Failures\`. - Parameter: Custom Tag Description: Only match findings that have this custom tag (set by the policy that created the finding or using the \`--finding-tags\` CLI option). These are different and separate from the system-defined finding tags. - Parameter: CWE Description: Only match findings with this CWE. For example, \`CWE-123\` or \`CWE-456\` (case insensitive). - Parameter: File Scope Description: Only match findings with this file scope. For example, \`Normal\` or \`Test\`. - Parameter: Include Path Description: Only match findings for files that match this glob style file pattern. For example, \`src/golang/**\`. - Parameter: Exclude Path Description: Do not match findings for files that match this glob style file pattern. For example, \`src/golang/**\`. - Parameter: Branch Type Description: Only match findings for this branch type. Set to **Default** to match findings for the default branch. Set to **Ref** to match findings for reference (non-default) branches. Set to **Pull Request** to match findings for pull requests. The **Send Notification** action does not apply to pull requests, as notifications are only processed for monitored branches. - Parameter: Code Owner Description: Only match findings with this code owner. For example, \`@octocat\` or \`@octocat-team\`. Case-insensitive exact matches only, no partial or approximate (fuzzy) matches. If a finding does not have a code owner, it is not matched by the policy. Code owners are automatically assigned to findings based on the \`CodeOwners\` object for the project, which is generated from the CODEOWNERS file in the default branch of the repository. For projects without a CODEOWNERS file, the \`CodeOwners\` object can be managed through the API. `} ## SCA Use these templates to define actions for Software Composition Analysis (SCA) findings, including vulnerabilities, outdated dependencies, unmaintained packages, license risks, and other issues in your open-source dependencies. ### Containers Matches container findings for vulnerabilities that meet specific parameters. The following table describes the parameters. {` - Parameter: Vulnerability ID Description: Full vulnerability identifier. For example, CVE-2024-3727 or GHSA-qh2h-chj9-jffq (case insensitive). - Parameter: Severity Description: Only match findings with this severity. - Parameter: Fix Availability Description: Select **Fix Available** to only match findings if a patch is available to fix the issue in the dependency. - Parameter: Relationship Description: Select **Direct Dependency** to only match findings for direct dependencies, or **Transitive Dependency** to only match findings for transitive dependencies. - Parameter: EPSS Percentile Threshold Description: Only match findings with an EPSS percentile threshold equal to or higher than this threshold (0.00-100.00). The EPSS percentile threshold represents the percentile ranking among all vulnerabilities that attackers will exploit a vulnerability. - Parameter: EPSS Probability Threshold Description: Only match findings with an EPSS probability score equal to or higher than this threshold (0.00-1.00). The EPSS probability score represents the probability [0-1] of exploitation in the wild in the next 30 days following score publication. - Parameter: Exploited Description: Only match findings for CVEs listed in the Known Exploited Vulnerabilities (KEV) database. - Parameter: Ecosystem Description: Match finding ecosystem. - Parameter: Exclude if Dependency Name Contains Description: Allows you to define full or partial dependency names for which an action policy should exclude. For example, you want to exclude a specific dependency from this policy. - Parameter: Exclude if Package Name Contains Description: Allows you to define full or partial package names for which an action policy should exclude. This is the resource that the finding is raised against. For example, the package indirectly or directly includes an unmaintained dependency. - Parameter: Exclude findings for transitive dependencies via other projects Description: Exclude findings for transitive dependencies reachable only through other projects. This helps your team to not act when they do not have control of findings introduced by libraries your team developed. - Parameter: Branch Type Description: Only match findings for this branch type. Set to **Default** to match findings for the default branch. Set to **Ref** to match findings for reference (non-default) branches. Set to **Pull Request** to match findings for pull requests. The **Send Notification** action does not apply to pull requests, as notifications are only processed for monitored branches. `} ### Custom (Advanced) Allows you to define a custom action policy based on the attributes of the finding. The following table describes the parameters. {` - Parameter: Finding Name Description: Match full or partial finding name. - Parameter: Category Description: Match finding category. - Parameter: Type Description: Match finding type. - Parameter: Severity Description: Match finding severity. - Parameter: Fix Availability Description: Select **Fix Available** to only match findings if a patch is available to fix the issue in the dependency. - Parameter: Relationship Description: Select **Direct Dependency** to only match findings for direct dependencies, or **Transitive Dependency** to only match findings for transitive dependencies. - Parameter: Dependency Reachability Description: Select **Reachable Dependency** and **Potentially Reachable Dependency** to only match findings where the vulnerable dependency is reachable. - Parameter: Function Reachability Description: Select **Reachable Function** and **Potentially Reachable Function** to only match findings where the vulnerable function is reachable. - Parameter: Exclude Test Description: Select **Yes** to exclude test dependencies. - Parameter: Ecosystem Description: Match finding ecosystem. - Parameter: Custom Tag Description: Only match findings that have this custom tag (set by the policy that created the finding or using the \`--finding-tags\` CLI option). Note that these are different and separate from the system-defined finding tags. - Parameter: Include Path Description: Only match findings for dependencies or files that match this glob style file pattern. For example, \`src/golang/**\`. - Parameter: Exclude Path Description: Do not match findings for dependencies or files that match this glob style file pattern. For example, \`src/golang/**\`. - Parameter: Exclude if Dependency Name Contains Description: Allows you to define full or partial dependency names for which an action policy should exclude. For example, you want to exclude a specific dependency from this policy. - Parameter: Exclude if Package Name Contains Description: Allows you to define full or partial package names for which an action policy should exclude. This is the resource that the finding is raised against. For example, the package indirectly or directly includes an unmaintained dependency. - Parameter: Exclude findings for transitive dependencies via other projects Description: Exclude findings for transitive dependencies that can only be reached through other projects. This helps your team to not act when they do not have control of findings introduced by libraries your team developed. - Parameter: Include GitHub Action findings Description: Select **Yes** to include findings for GitHub action dependencies. - Parameter: Include Container findings Description: Select **Yes** to include findings for container dependencies. - Parameter: Branch Type Description: Only match findings for this branch type. Set to **Default** to match findings for the default branch. Set to **Ref** to match findings for reference (non-default) branches. Set to **Pull Request** to match findings for pull requests. Note that the **Send Notification** action does not apply to pull requests, as notifications are only processed for monitored branches. - Parameter: Code Owner Description: Only match findings with this code owner. For example, \`@octocat\` or \`@octocat-team\`. Case-insensitive exact matches only, no partial or approximate (fuzzy) matches. If a finding does not have a code owner, it is not matched by the policy. Code owners are automatically assigned to findings based on the \`CodeOwners\` object for the project, which is generated from the CODEOWNERS file in the default branch of the repository. For projects without a CODEOWNERS file, the \`CodeOwners\` object can be managed through the API. `} ### Malware Allows you to define the action policy to apply when a malware finding is detected, depending on its status, relationship to root packages, and ecosystem. The following table describes the parameters. {` - Parameter: Status Description: Select the status of malware finding such as **Malware** for confirmed malware, **Telemetry** if the package is not always malicious but may expose environment details, or **Unhealthy** if the package appears broken or non-functional. - Parameter: Relationship Description: Select **Direct Dependency** to only match findings for direct dependencies, or **Transitive Dependency** to only match findings for transitive dependencies. - Parameter: Ecosystem Description: Match finding ecosystem. - Parameter: Exclude Test Description: Select **Yes** to exclude test dependencies from this policy. - Parameter: Exclude Approximate Description: Select **Yes** to exclude approximate dependencies from this policy. `} ### Outdated Releases Matches findings based on older versions of software or dependencies and are not actively updated. The following parameters are supported: {` - Parameter: Relationship Description: Select **Direct Dependency** to only match findings for direct dependencies, or **Transitive Dependency** to only match findings for transitive dependencies. - Parameter: Dependency Reachability Description: Select **Reachable Dependency** and **Potentially Reachable Dependency** to only match findings where the vulnerable dependency is reachable. - Parameter: Exclude Test Description: Exclude test dependencies from this policy. - Parameter: Ecosystem Description: Match finding ecosystem. - Parameter: Exclude if Dependency Name Contains Description: Allows you to define full or partial dependency names for which an action policy should exclude. For example, you want to exclude a specific dependency from this policy. - Parameter: Exclude if Package Name Contains Description: Allows you to define full or partial package names for which an action policy should exclude. This is the resource that the finding is raised against. For example, the package indirectly or directly includes an unmaintained dependency. - Parameter: Exclude findings for transitive dependencies via other projects Description: Exclude findings for transitive dependencies that can only be reached through other projects. This helps your team to not act when they do not have control of findings introduced by libraries your team developed. `} ### Recently Released Dependencies (cooldown) Matches findings for recently released dependencies. Supported configuration parameters for this action policy template are: {` - Parameter: Ecosystem Description: Match finding ecosystem. - Parameter: Exclude Test Description: Exclude test dependencies from this policy. - Parameter: Exclude if Dependency Name Contains Description: Allows you to define full or partial dependency names for which an action policy should exclude. For example, you want to exclude a specific dependency from this policy. - Parameter: Exclude if Package Name Contains Description: Allows you to define full or partial package names for which an action policy should exclude. This is the resource that the finding is raised against. For example, the package indirectly or directly includes an unmaintained dependency. - Parameter: Exclude findings for transitive dependencies via other projects Description: Exclude findings for transitive dependencies that can only be reached through other projects. This helps your team to not act when they do not have control of findings introduced by libraries your team developed. - Parameter: Branch Type Description: Only match findings for this branch type. Set to **Default** to match findings for the default branch. Set to **Ref** to match findings for reference (non-default) branches. Set to **Pull Request** to match findings for pull requests. The **Send Notification** action does not apply to pull requests, as notifications are only processed for monitored branches. `} ### Unmaintained Dependencies Matches findings based on dependencies that are no longer maintained or may have reached end-of-life. The following parameters are supported: {` - Parameter: Relationship Description: Select **Direct Dependency** to only match findings for direct dependencies, or **Transitive Dependency** to only match findings for transitive dependencies. - Parameter: Dependency Reachability Description: Select **Reachable Dependency** and **Potentially Reachable Dependency** to only match findings where the vulnerable dependency is reachable. - Parameter: Exclude Test Description: Exclude test dependencies from this policy. - Parameter: Ecosystem Description: Match finding ecosystem. - Parameter: Exclude if Dependency Name Contains Description: Allows you to define full or partial dependency names for which an action policy should exclude. For example, you want to exclude a specific dependency from this policy. - Parameter: Exclude if Package Name Contains Description: Allows you to define full or partial package names for which an action policy should exclude. This is the resource that the finding is raised against. For example, the package indirectly or directly includes an unmaintained dependency. - Parameter: Exclude findings for transitive dependencies via other projects Description: Exclude findings for transitive dependencies that can only be reached through other projects. This helps your team to not act when they do not have control of findings introduced by libraries your team developed. `} ### Unpinned Direct Dependencies Matches findings based on direct dependencies that do not have a version or a range of versions specified. Supported configuration parameters for this action policy template are: {` - Parameter: Exclude Test Description: Exclude test dependencies from this policy. - Parameter: Ecosystem Description: Match finding ecosystem. - Parameter: Exclude if Dependency Name Contains Description: Allows you to define full or partial dependency names for which an action policy should exclude. For example, you want to exclude a specific dependency from this policy. - Parameter: Exclude if Package Name Contains Description: Allows you to define full or partial package names for which an action policy should exclude. This is the resource that the finding is raised against. For example, the package indirectly or directly includes an unmaintained dependency. - Parameter: Exclude findings for transitive dependencies via other projects Description: Exclude findings for transitive dependencies that can only be reached through other projects. This helps your team to not act when they do not have control of findings introduced by libraries your team developed. `} ### Unreachable Direct Dependencies Matches findings based on dependencies that are not directly used or called within a project. Supported configuration parameters for this action policy template are: {` - Parameter: Exclude Test Description: Exclude test dependencies from this policy. - Parameter: Ecosystem Description: Match finding ecosystem. - Parameter: Exclude if Dependency Name Contains Description: Allows you to define full or partial dependency names for which an action policy should exclude. For example, you want to exclude a specific dependency from this policy. - Parameter: Exclude if Package Name Contains Description: Allows you to define full or partial package names for which an action policy should exclude. This is the resource that the finding is raised against. For example, the package indirectly or directly includes an unmaintained dependency. - Parameter: Exclude findings for transitive dependencies via other projects Description: Exclude findings for transitive dependencies that can only be reached through other projects. This helps your team to not act when they do not have control of findings introduced by libraries your team developed. `} ### Vulnerabilities Matches findings that are vulnerabilities that meet specific parameters. The following table describes the parameters. {` - Parameter: Vulnerability ID Description: Full vulnerability identifier. For example, \`CVE-2024-3727\` or \`GHSA-qh2h-chj9-jffq\` (case insensitive). - Parameter: Severity Description: Only match findings with this severity. - Parameter: Fix Availability Description: Select **Fix Available** to only match findings if a patch is available to fix the issue in the dependency. - Parameter: Relationship Description: Select **Direct Dependency** to only match findings for direct dependencies, or **Transitive Dependency** to only match findings for transitive dependencies. - Parameter: Dependency Reachability Description: Select **Reachable Dependency** and **Potentially Reachable Dependency** to only match findings where the vulnerable dependency is reachable. - Parameter: Function Reachability Description: Select **Reachable Function** and **Potentially Reachable Function** to only match findings where the vulnerable function is reachable. - Parameter: Exclude Test Description: Select **Yes** to exclude test dependencies from this policy. - Parameter: EPSS Percentile Threshold Description: Only match findings with an EPSS percentile threshold equal to or higher than this threshold (0.00–100.00). The EPSS percentile threshold represents the percentile ranking among all vulnerabilities that a vulnerability will be exploited. - Parameter: EPSS Probability Threshold Description: Only match findings with an EPSS probability score equal to or higher than this threshold (0.00–1.00). The EPSS probability score represents the probability [0–1] of exploitation in the wild in the next 30 days following score publication. - Parameter: Exploited Description: Only match findings for CVEs that are listed in the Known Exploited Vulnerabilities (KEV) database. - Parameter: Ecosystem Description: Match finding ecosystem. - Parameter: Exclude if Dependency Name Contains Description: Allows you to define full or partial dependency names for which an action policy should exclude. For example, you want to exclude a specific dependency from this policy. - Parameter: Exclude if Package Name Contains Description: Allows you to define full or partial package names for which an action policy should exclude. This is the resource that the finding is raised against. For example, the package indirectly or directly includes an unmaintained dependency. - Parameter: Exclude findings for transitive dependencies via other projects Description: Exclude findings for transitive dependencies that can only be reached through other projects. This helps your team to not act when they do not have control of findings introduced by libraries your team developed. - Parameter: Include GitHub Action findings Description: Select **Yes** to include findings for GitHub action dependencies. - Parameter: Include Container findings Description: Select **Yes** to include findings for container dependencies. - Parameter: Branch Type Description: Only match findings for this branch type. Set to **Default** to match findings for the default branch. Set to **Ref** to match findings for reference (non-default) branches. Set to **Pull Request** to match findings for pull requests. Note that the **Send Notification** action does not apply to pull requests, as notifications are only processed for monitored branches. - Parameter: Code Owner Description: Only match findings with this code owner. For example, \`@octocat\` or \`@octocat-team\`. Case-insensitive exact matches only, no partial or approximate (fuzzy) matches. If a finding does not have a code owner, it is not matched by the policy. Code owners are automatically assigned to findings based on the \`CodeOwners\` object for the project, which is generated from the CODEOWNERS file in the default branch of the repository. For projects without a CODEOWNERS file, the \`CodeOwners\` object can be managed through the API. `} ## Secrets Allows you to define the action taken when a leaked secret is detected based on the validation status of the secret. {` - Parameter: Validation Status Description: Select secret validation status: **Valid**, **Invalid**, or **Unable to Validate**. - Parameter: Custom Tag Description: Only match findings that have this custom tag (set by the policy that created the finding or using the \`--finding-tags\` CLI option). These are different and separate from the system-defined finding tags. - Parameter: Include Path Description: Only match findings for files that match this glob style file pattern. For example, \`src/golang/**\`. - Parameter: Exclude Path Description: Do not match findings for files that match this glob style file pattern. For example, \`src/golang/**\`. - Parameter: Code Owner Description: Only match findings with this code owner. For example, \`@octocat\` or \`@octocat-team\`. Case-insensitive exact matches only, no partial or approximate (fuzzy) matches. If a finding does not have a code owner, it is not matched by the policy. Code owners are automatically assigned to findings based on the \`CodeOwners\` object for the project, which is generated from the CODEOWNERS file in the default branch of the repository. For projects without a CODEOWNERS file, the \`CodeOwners\` object can be managed through the API. `} ## Security Review Use these templates to define actions for security review findings that require manual assessment or additional analysis before taking action. Match security review findings. The following parameters are supported: {` - Parameter: Severity Description: Only match findings with this severity. - Parameter: Branch Type Description: Only match findings for this branch type. Set to **Default** to match findings for the default branch. Set to **Ref** to match findings for reference (non-default) branches. Set to **Pull Request** to match findings for pull requests. The **Send Notification** action does not apply to pull requests, as notifications are only processed for monitored branches. `} ## Vulnerabilities Use these templates to define actions for vulnerability findings, including CVEs, security advisories, and known exploits in your dependencies based on severity, exploitability, and fix availability. ### Containers Matches container findings for vulnerabilities that meet specific parameters. The following table describes the parameters. {` - Parameter: Vulnerability ID Description: Full vulnerability identifier. For example, CVE-2024-3727 or GHSA-qh2h-chj9-jffq (case insensitive). - Parameter: Severity Description: Only match findings with this severity. - Parameter: Fix Availability Description: Select **Fix Available** to only match findings if a patch is available to fix the issue in the dependency. - Parameter: Relationship Description: Select **Direct Dependency** to only match findings for direct dependencies, or **Transitive Dependency** to only match findings for transitive dependencies. - Parameter: EPSS Percentile Threshold Description: Only match findings with an EPSS percentile threshold equal to or higher than this threshold (0.00-100.00). The EPSS percentile threshold represents the percentile ranking among all vulnerabilities that attackers will exploit a vulnerability. - Parameter: EPSS Probability Threshold Description: Only match findings with an EPSS probability score equal to or higher than this threshold (0.00-1.00). The EPSS probability score represents the probability [0-1] of exploitation in the wild in the next 30 days following score publication. - Parameter: Exploited Description: Only match findings for CVEs listed in the Known Exploited Vulnerabilities (KEV) database. - Parameter: Ecosystem Description: Match finding ecosystem. - Parameter: Exclude if Dependency Name Contains Description: Allows you to define full or partial dependency names for which an action policy should exclude. For example, you want to exclude a specific dependency from this policy. - Parameter: Exclude if Package Name Contains Description: Allows you to define full or partial package names for which an action policy should exclude. This is the resource that the finding is raised against. For example, the package indirectly or directly includes an unmaintained dependency. - Parameter: Exclude findings for transitive dependencies via other projects Description: Exclude findings for transitive dependencies reachable only through other projects. This helps your team to not act when they do not have control of findings introduced by libraries your team developed. - Parameter: Branch Type Description: Only match findings for this branch type. Set to **Default** to match findings for the default branch. Set to **Ref** to match findings for reference (non-default) branches. Set to **Pull Request** to match findings for pull requests. The **Send Notification** action does not apply to pull requests, as notifications are only processed for monitored branches. `} ### Custom (Advanced) Allows you to define a custom action policy based on the attributes of the finding. The following table describes the parameters. {` - Parameter: Finding Name Description: Match full or partial finding name. - Parameter: Category Description: Match finding category. - Parameter: Type Description: Match finding type. - Parameter: Severity Description: Match finding severity. - Parameter: Fix Availability Description: Select **Fix Available** to only match findings if a patch is available to fix the issue in the dependency. - Parameter: Relationship Description: Select **Direct Dependency** to only match findings for direct dependencies, or **Transitive Dependency** to only match findings for transitive dependencies. - Parameter: Dependency Reachability Description: Select **Reachable Dependency** and **Potentially Reachable Dependency** to only match findings where the vulnerable dependency is reachable. - Parameter: Function Reachability Description: Select **Reachable Function** and **Potentially Reachable Function** to only match findings where the vulnerable function is reachable. - Parameter: Exclude Test Description: Select **Yes** to exclude test dependencies. - Parameter: Ecosystem Description: Match finding ecosystem. - Parameter: Custom Tag Description: Only match findings that have this custom tag (set by the policy that created the finding or using the \`--finding-tags\` CLI option). Note that these are different and separate from the system-defined finding tags. - Parameter: Include Path Description: Only match findings for dependencies or files that match this glob style file pattern. For example, \`src/golang/**\`. - Parameter: Exclude Path Description: Do not match findings for dependencies or files that match this glob style file pattern. For example, \`src/golang/**\`. - Parameter: Exclude if Dependency Name Contains Description: Allows you to define full or partial dependency names for which an action policy should exclude. For example, you want to exclude a specific dependency from this policy. - Parameter: Exclude if Package Name Contains Description: Allows you to define full or partial package names for which an action policy should exclude. This is the resource that the finding is raised against. For example, the package indirectly or directly includes an unmaintained dependency. - Parameter: Exclude findings for transitive dependencies via other projects Description: Exclude findings for transitive dependencies that can only be reached through other projects. This helps your team to not act when they do not have control of findings introduced by libraries your team developed. - Parameter: Include GitHub Action findings Description: Select **Yes** to include findings for GitHub action dependencies. - Parameter: Include Container findings Description: Select **Yes** to include findings for container dependencies. - Parameter: Branch Type Description: Only match findings for this branch type. Set to **Default** to match findings for the default branch. Set to **Ref** to match findings for reference (non-default) branches. Set to **Pull Request** to match findings for pull requests. Note that the **Send Notification** action does not apply to pull requests, as notifications are only processed for monitored branches. - Parameter: Code Owner Description: Only match findings with this code owner. For example, \`@octocat\` or \`@octocat-team\`. Case-insensitive exact matches only, no partial or approximate (fuzzy) matches. If a finding does not have a code owner, it is not matched by the policy. Code owners are automatically assigned to findings based on the \`CodeOwners\` object for the project, which is generated from the CODEOWNERS file in the default branch of the repository. For projects without a CODEOWNERS file, the \`CodeOwners\` object can be managed through the API. `} ### Vulnerabilities Matches findings that are vulnerabilities that meet specific parameters. The following table describes the parameters. {` - Parameter: Vulnerability ID Description: Full vulnerability identifier. For example, \`CVE-2024-3727\` or \`GHSA-qh2h-chj9-jffq\` (case insensitive). - Parameter: Severity Description: Only match findings with this severity. - Parameter: Fix Availability Description: Select **Fix Available** to only match findings if a patch is available to fix the issue in the dependency. - Parameter: Relationship Description: Select **Direct Dependency** to only match findings for direct dependencies, or **Transitive Dependency** to only match findings for transitive dependencies. - Parameter: Dependency Reachability Description: Select **Reachable Dependency** and **Potentially Reachable Dependency** to only match findings where the vulnerable dependency is reachable. - Parameter: Function Reachability Description: Select **Reachable Function** and **Potentially Reachable Function** to only match findings where the vulnerable function is reachable. - Parameter: Exclude Test Description: Select **Yes** to exclude test dependencies from this policy. - Parameter: EPSS Percentile Threshold Description: Only match findings with an EPSS percentile threshold equal to or higher than this threshold (0.00–100.00). The EPSS percentile threshold represents the percentile ranking among all vulnerabilities that a vulnerability will be exploited. - Parameter: EPSS Probability Threshold Description: Only match findings with an EPSS probability score equal to or higher than this threshold (0.00–1.00). The EPSS probability score represents the probability [0–1] of exploitation in the wild in the next 30 days following score publication. - Parameter: Exploited Description: Only match findings for CVEs that are listed in the Known Exploited Vulnerabilities (KEV) database. - Parameter: Ecosystem Description: Match finding ecosystem. - Parameter: Exclude if Dependency Name Contains Description: Allows you to define full or partial dependency names for which an action policy should exclude. For example, you want to exclude a specific dependency from this policy. - Parameter: Exclude if Package Name Contains Description: Allows you to define full or partial package names for which an action policy should exclude. This is the resource that the finding is raised against. For example, the package indirectly or directly includes an unmaintained dependency. - Parameter: Exclude findings for transitive dependencies via other projects Description: Exclude findings for transitive dependencies that can only be reached through other projects. This helps your team to not act when they do not have control of findings introduced by libraries your team developed. - Parameter: Include GitHub Action findings Description: Select **Yes** to include findings for GitHub action dependencies. - Parameter: Include Container findings Description: Select **Yes** to include findings for container dependencies. - Parameter: Branch Type Description: Only match findings for this branch type. Set to **Default** to match findings for the default branch. Set to **Ref** to match findings for reference (non-default) branches. Set to **Pull Request** to match findings for pull requests. Note that the **Send Notification** action does not apply to pull requests, as notifications are only processed for monitored branches. - Parameter: Code Owner Description: Only match findings with this code owner. For example, \`@octocat\` or \`@octocat-team\`. Case-insensitive exact matches only, no partial or approximate (fuzzy) matches. If a finding does not have a code owner, it is not matched by the policy. Code owners are automatically assigned to findings based on the \`CodeOwners\` object for the project, which is generated from the CODEOWNERS file in the default branch of the repository. For projects without a CODEOWNERS file, the \`CodeOwners\` object can be managed through the API. `}