ShiftLeft - Policy Options

Compatible Integrations

• Before Policy creation, requires set up of either:
  • Symbolic Artifact Integration and Target(s) of that type
  • Repository Integration (Github, GitLab, Bitbucket) and Target(s) of that type
• Note that your ShiftLeft Scenario will only appear in your Policy options if you have a selected a Target of the Integration types described above.

Create Policy

Suggested reading: Create a Policy

1. Navigate to znOPS > Policies .
2. Click on the +Add Policy button on the bottom right of the screen.

Policy Set Up

• Enter the Name and Description (see our Policy Name Recommendations)
• Select previously created Integration and Target.
• Select “ShiftLeft” Scenario that was previously activated (see ShiftLeft - Activate Scenario).
• Depending on your use case, follow either the steps for Orchestrated Scans or Data Loads.

Policy Options

Suggested reading: ZN’s Supported Execution Modes, ShiftLeft - ZN’s Supported Execution Modes & Supported Versions of Tool

Orchestrated Scans

In general, the “Orchestrated Scans” option will result in ZeroNorth creating a configured item in the security tool instance and then extract results from the security tool.

• As a default the “Policy Type” in the “Scenario” section of the Policy set up is set to “Orchestrated Scan”. If it is not, In the “Scenario” section of the Policy set up, select “Orchestrated Scan” for “Policy Type”.
• Set Scan Language to match the dominant language of the application project.
• Select Application Lookup Strategy as follows:
  • Enter project name manually - specify the application name to use within ShiftLeft.
  • Discover Existing Projects - pick from one of your existing ShiftLeft application (click Discover App Names to refresh this list).
  • Use ZeroNorth default - ZeroNorth will synthesize a unique application name to use in ShiftLeft.

The orchestrated scan Policy is ready for use. If it’s an Artifact scan, it should be triggered from the pipeline via the ZeroNorth Integration Container or the ZeroNorth CLI for scans orchestrated from the ZeroNorth SaaS platform, or via the Integration Container for onprem Artifact scans. Repository scans can be triggered from the ZeroNorth UI, or using the ZeroNorth Integration Orchestrator for onprem scans.

Data Loads

In general, the “Data Load” option will result in ZeroNorth selecting a specific set of point in time scan results from a security tool instance. Additionally, ZN will need an identifier for the set of point in time scan results.

• Set Policy Type to “Data Load”.
• Select Application Lookup Strategy as follows:
  • Enter project name manually - specify the application name to use within ShiftLeft.
  • Discover Existing Projects - pick from one of your existing ShiftLeft application (click Discover App Names to refresh this list).

The data load Policy is ready for use. It can be triggered in one of the following ways:

• Via the UI - znOPS > Policies > Run Now
• Via a Webhook
• Via the ZeroNorth API (use the endpoint [POST] /v1/policies/{id}/run )
• Via a Policy schedule