Component policies
Use component policies to notify Organization Admins when components with specific properties are detected in a SCA test.
Component policy overview
Rules
You can add up to five rules to each component policy. Rules control what actions occur when test results violate a policy (when components with specific properties are detected in an SCA test). Set up rules to monitor tests for components with any combination of the following properties:
- Components that are included or excluded from your SBOM.
- Components with licenses in different license families.
- Components that are direct or transitive dependencies.
- Components with different security risks.
- Components that are subject to specific licenses.
- Components with specific names.
- Components with specific match scores.
Actions
You can assign the following actions to each rule in a component policy:
Note: You can add any action to a rule, but actions only function as expected when the prerequisites are met, and only run after a test is complete.
Action | Description | Prerequisites |
---|---|---|
Send Notification | Send an email notification to Organization Admins when components with specific properties are found in a test. Each email includes the names of one or more violated component policies, the violated rules in each policy, the total quantity of violating components for each rule, and helpful links. Click a component quantity to view the components that violate the rule in . Note: Email notifications for issue and component policies are only sent to Organization Admins. One email is sent each time a test's results violate one or more policies, and each email can include components that violate more than one of each policy's rules. If a test's results violate issue and component policies, violated issue and component policies are listed in the same email. |
Notifications must be enabled for the organization, and your personal notification settings must allow Policy notifications. |
Example component policy
For example, say you create a component policy with the following rule:
Rule | Component properties | Actions |
---|---|---|
Rule one | Components with Permissive, AGPL, or Unknown licenses with a Security Risk of Critical or High. | Send Notification |
In tests subject to this example component policy:
- An email notification is sent to Organization Admins when critical or high-risk components with permissive, AGPL, or unknown licenses are detected in a test.
View a component policy's details
Create a component policy
Tip: Instead of creating a new component policy, you can use a preexisting policy as a starting point (and adjust the policy as you wish). Click the options icon at the end of a policy's row and select Duplicate.
Modify a component policy
- Go to Policies and open the Component Policies tab.
- Click the options icon at the end of the policy's row and select Edit.
- Modify the policy, as required.
- Select Save.