Policy Configuration
The Policy Configuration page lets users with appropriate user roles adjust analysis configuration settings used to refine scanning results and suppress both global and individual results. These settings can be configured at the organization level or at the group level.
All policies you can edit are listed in the Organization policy configuration and Group policy configuration tables containing the following fields:
- Category - indicates the categories the policies belong to
- ID - indicates the policy ID
- Description - indicates the issue covered by a specific policy
- Enabled - indicates whether the policy in question is enabled or not. When enabled, it influences the final CI/CD status and overall deployment risk of analyzed files. When disabled, the policy will not be used during analysis
- CI/CD Status - indicates the overall CI status (pass or fail). When set to Fail, a policy can influence the build process by reporting the CI fail status on policy violations. Based on the CI status in the report, you can configure your CI/CD pipeline to stop the build process and prevent code merge or a software release. When set to Pass, a policy does not report the CI fail status even when policy violations exist
- Actions - a menu from which you can edit policies. In the policy configuration dialog, you can enable and disable a policy, make a policy stop the build process depending on the CI/CD status, and explain why the policy configuration was changed to maintain an audit trail. For previously modified policies, this menu contains the option to revert changes
By using a search bar above the Organization policy configuration or Group policy configuration tables, you can search for policies by their names or IDs without having to go through all the results in the table. The search bar includes a dropdown that ensures all policies are readily available.
You can filter the data in the table to:
- Show edited only - shows only those policies that have been edited
- Show customized levels only - applies only when SAFE Levels are enabled, and shows policies that were edited to be less strict than the level currently enabled for your organization or group.
Clicking the pin icon next to the search bar lets you retain the selected filters even when alternating between your groups. These filters can be removed by clicking Clear All Filters next to the filter toggle switches.
Edit policy configurationโ
Organization-level configurationโ
If you have the appropriate role, you can configure policies for your organization by clicking on the Policy Configuration page in the sidebar.
From there, you can edit each policy in the Organization policy configuration table to suit your organization's needs, and configure SAFE Levels for the whole organization.
When SAFE Levels are enabled for the organization, they cannot be disabled for specific groups. However, you can still override the configuration for individual policies on the group level.
Group-level configurationโ
If you have the appropriate role, clicking a group name in the sidebar leads you to a page where you can configure SAFE Levels and policies for your group.
From there, you can edit each policy in the Group policy configuration table to suit your group's needs.
By default, groups directly inherit the policy rules of the organization they belong to. When you edit policies for your group, that overrides the organization-level configuration.
SAFE Levels configurationโ
Instead of manually tweaking each policy, you can use SAFE Levels, each of which has pre-configured settings for policies.
By default, SAFE Levels are enabled and set to level 5 on the Portal. You can change this by either disabling them completely (Don't use levels) or choosing one of the five levels.
By default, all groups inherit the SAFE Levels configuration from the organization. When levels are enabled for the organization, they cannot be disabled for specific groups, but you can change the level for each individual group.
Switching between SAFE Levels or disabling them affects the software package analysis results both on File Stream and Projects pages. When you've changed or disabled SAFE Levels settings, you need to reanalyze your packages for new changes to take effect and your analysis reports to be up to date.
If SAFE Levels are enabled and you modify a policy to make its settings less strict at the current level (for example, you change its CI status from FAIL
to PASS
), the Portal indicates that you are using Custom Levels.
This is visible on the Policy Configuration page for the organization/group, and in CI status indicators across the Portal interface.
Using Custom Level settings for one group does not affect the settings of any other groups.
Auto-approvalโ
To allow faster access to packages and decrease the burden on package approvers, the Spectra Assure Portal supports the option to automatically approve packages that pass the currently configured SAFE Level. For software producers, the recommended default level is L3, while for consumers the recommended default level is L1. With the auto-approval option, producers and consumers can allow the use of packages with lower priority issues all in one go.
The option to enable automatic approval is disabled by default. It becomes available on the Policy Configuration page for each group only when SAFE Levels are configured.
In other words, auto-approval cannot be enabled for the whole organization - only for individual groups. When SAFE Levels are disabled, the auto-approval option is unavailable.
To enable auto-approval in the Portal:
Access the Settings > Policy Configuration page and select the group for which you want to enable auto-approval in the sidebar on the left.
On the configuration page for the group, make sure that one of the SAFE Levels is selected. You can keep the default SAFE Levels or modify any of the policies to use Custom Levels.
Under the SAFE Level cards, select the switch to enable automatic approval.
Select Save to apply your changes to the group policy configuration.
After saving the changes, all packages uploaded to the group that pass the currently configured SAFE Level will automatically get the Approved status. This includes software packages in the File Stream and in Projects, regardless of the upload method (manually or via the Portal API).
The approval status icon indicates that the packages were approved automatically to help visually distinguish them from manually approved packages. By default, all automatically approved packages get the same approval reason and show that the package has been approved by Spectra Assure when hovering over the approval status icon.
Portal users with the appropriate role can manually revoke approval for automatically approved packages at any point.
When using auto-approval, keep in mind the following conditions:
If a package is uploaded to Projects as the next version of an existing package and its diff scan fails, the newly uploaded package cannot be automatically approved.
If a package is uploaded to Projects with a reproducible build artifact and its repro scan fails, the newly uploaded package will be automatically approved as the main artifact.
Auto-approval does not apply to packages that already exist on the Portal, even if they are reanalyzed.
If a package is automatically approved and later reanalyzed, it will keep its Approved status even if it now fails the configured level for any reason. Auto-approval applies only on the first analysis of a package.
Modifying policies in a group does not affect the approval status of packages that have already been automatically approved.
To stop using automatic approval, select the switch to disable it on the group policy configuration page and save your changes.
After saving the changes, all software packages that were previously approved automatically will keep their Approved status, even if you reanalyze them. Packages cannot get automatically rejected or revoked. If needed, you can manually revoke their status.
When you disable auto-approval, newly uploaded packages will no longer get the automatically approved status even if they pass the currently configured level.