Enforce Security Policy in a Pipeline from YAML

[kadraman]

Add the ability to define a security policy in a YAML that can be validated and passed/failed based a pipeline on the results of a scan and/or a release. The security policy would be stored in the repository alongside the code and could look something like the following:

scan_result_policy:
- name: SAST - limited critical/high
  description: maximum 2 critical, 5 high for SAST scan
  enabled: true
  rules:
  - type: scan_finding
    releases:
    - *
    scanners:
    - sast,
    vulnerabilities_allowed: 2
    severity_levels:
    - critical
    vulnerability_states:
    - newly_detected
  - type: scan_finding
    releases:
    - *
    scanners:
    - sast,
    vulnerabilities_allowed: 5
    severity_levels:
    - high
    vulnerability_states:
    - newly_detected 
- name: DAST- no critical vulnerabilities
  description: critical severity level only for DAST scans
  enabled: true
  rules:
  - type: scan_finding
    releases:
    - *
    scanners:
    - dast,
    vulnerabilities_allowed: 0
    severity_levels:
    - critical
    vulnerability_states:
    - newly_detected

There could be different fcli security-policy commands, e.g.

• fcli security-policy create-template
• fcli security-policy check-template
• fcli security-policy validate[--warn]
• ...

Different capabilities could include:

• multiple "rules" in the same file
• works with different scan engines (sast/dast including mobile/sca debricked/sonatype)
• work at the (individual) scan level and at the release level (particularly for FoD)
• works with newly_detected or existing issues (if possible)
• ...

[rsenden]

Although taking a slightly different approach, support for checking security policies is now available through the fcli action framework.