This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Create Exception Policy for SAST Findings

This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Exception policies define the conditions for applying an exception to a finding. When an exception is applied to a finding, it is tracked as an exception and action policies do not apply to it. Findings with exceptions are filtered out from Endor Labs reports by default.

See Exception Policies for more information.

Instead of creating an exception policy, you can also use the following methods to avoid findings:

  • Disable the rule under SAST Rules
  • Use the include-path and exclude-path to scan parts of the project

You can create an exception policy so that you can mark a SAST finding as an exception.

For example, you want to mark findings with the description, Detected Potential Open Redirect Vulnerability in Angular Application, as exceptions.

  1. Select Policies from the left sidebar.

  2. Select EXCEPTION POLICIES.

  3. Click Create Exception Policy to create a new exception policy.

  4. Select Standard Exception Find Attributes as the POLICY TEMPLATE.

  5. Enter Detected Potential Open Redirect Vulnerability in Angular Application in Finding Name Contains.

  6. Select from the following reasons why you are applying this exception:

    • In Triage: The finding is still being triaged for more information.
    • False Positive: The finding is a false positive.
    • Risk Accepted: The risk associated with the finding is accepted.
    • Other: Another reason applies for this exception.

  7. Select when the exception should expire.

    Options include 30, 60, 90 days, and Never.

  8. Assign Scope for which this exception policy should apply. Scopes are defined by the tags assigned to a project.

    • In Inclusions, enter the tags of the projects that you want to apply an exception to.
    • In Exclusions, enter the tags of the projects that you do not want to apply an exception to. Exclusions take precedence over the inclusions, in case of a conflict.
    • Click the link to view the projects included in the finding policy.

    See Tagging projects for more information about creating project tags.

  9. Enter a human-readable Name for your exception policy.

  10. Enter a Description for your exception policy that explains its function.

  11. Enter any Policy Tags that you want to associate with your policy. Tags can have a maximum of 63 characters and can contain letters, numbers, and characters = @ _ -

  12. Click Create Exception Policy.

You can also create exceptions directly from a finding.

  1. Select Projects from the left sidebar.
  2. Search for and select a project, and select Findings.
  3. Search for findings using advanced or basic filters.
  4. Select findings and click the vertical three dots.
  5. Select Add Exception Policy.
  6. Select a template or create the policy from scratch. The template parameters are automatically pre-filled based on the selected finding.
  7. Click Create Exception Policy.

Use this feature to specifically apply exception to findings with a specific hash value. For example, Detected Potential time of check time of use vulnerability (open/fopen): ID #e81f27. This exception policy after creation only applies to the SAST findings with this hash ID and not any others.