Manage policies

Policies are rules that monitor and identify risks in your projects based on specified conditions.

You can use them to:

  • enable, disable, or customize out-of-the-box features
  • implement custom workflows or findings
  • set guardrails for development process
  • create custom ticketing or messaging workflows

Endor Labs provides various out-of-the-box policies and enables application security teams to quickly get started with policy management. Policy templates are also available that help you easily configure policies around known vulnerabilities, outdated, unmaintained, or unused software dependencies, license risks, code review guidelines, repository configurations, and more.

You can also author policies from scratch using Rego policy language and customize policies based on organizational rules and needs.

Key benefits

Policies are essential to define risk tolerance, set automated rules for open-source components, check your repository or organization configuration, and more.

Identify and triage issues - Policies give you a quick and automated way to identify and triage issues in your environment. This saves valuable development time and ensures developers consider security issues at the early stages of application development.

Improve decision-making - Automating enforcement simplifies decision-making in an organization and reduces complexity. Policies make assessing the OSS components simpler and allow developers to focus on violations critical to the organization.

Establish governance - Use policies to set up an organization’s governance methods such as enforcing Multi-Factor Authentication, setting up code review guidelines, guidelines on the use of the open source components, preventing misconfiguration of source code repositories, and more.

Types of policies

There are two types of policies that you can set up with Endor Labs.

  • Finding policy - Create finding policies to identify and notify issues in your development environment. For example, you can create license violation policies to define the behavior for missing, unknown, problematic, or incompatible licenses. You can permit or restrict packages with certain license types.
  • Action policy - Create action policies to define the system behavior and set up workflows when you encounter a rule or condition. For example, you can create an action policy and define the system behavior to create a Jira task when any packages with outdated releases are included in your projects.

What are finding policies?

Learn about finding policies in Endor Labs and how to use them.

What are action policies?

Learn about action policies in Endor Labs and how to use them.

Policies for SCM posture management

Learn about the out of the box finding policies and templates for source code management.

Policies to detect open-source risks

Learn about the out of the box finding policies and templates for open source risk management

Policies to detect secret leaks

Learn about the out of the box finding policies and templates for secrets leak detection management

Tagging projects for policy

Learn about tagging projects to manage policies in Endor Labs

Policies for CI/CD tools

Learn about the out of the box finding policies and templates for CI/CD tools used in your software development environment.