Custom Policies

Deepbits regulation feature can help your organization to build regulatory compliance software.
We're currently supporting creating policies and checking license issues in your docker images or On-premises files.

Policy

A policy can contain a name, a condition, and a violation result. Assume your organization is building a web CMS system for commercial use, then a few licenses should be considered high risk to use like GNU Lesser General Public License v2.1 or later. These licenses require you to release any code you make under the same copyleft license terms to be able to distribute and modify the code.

How to use

Create a policy

You can use the "add new policy" button on the Policies - Policy Rule page.
A new policy requires

  • Name - A helpful name to indicate what's the policy for
  • Cypher query - A neo4j's query language that describes the violations or conditions you'd like to check.
  • Result condition - Determine if the above Cypher query with non-empty results should trigger the policy.
  • Violation - If the policy matches the conditions which level of violation do you want it to be. Different violation means different level you should pay attention to.

Example: I want all my resources not to contain MIT license.
The Cypher query should be: MATCH (n:Package) WHERE "MIT" in n.licenses RETURN n LIMIT 20.

Choose which resource to enforce on

By default, a newly created policy will not apply to any resource. You need to specify what resources this policy applies to.


Policy evaluation result

A policy will be evaluated when

  • When policy is changed, we'll execute the policy once you modify the policy content.
  • When your resource got a new scan result.

License

You can check all the licenses and license groups we support to detect. Each license contains a license detail page for a better description.