Enforcement

Overview

Bridgecrew’s Enforcement capibility enable you to configure the parameters for failing your code reviews, i.e. the types of findings that will cause failure according to their severities.
With Enforcement, you can easily manage your enforcement strategies across your code reviews before any repositories are integrated or scanned. Generally, Bridgecrew scans five code categories:

Code categoryDescription
VulnerabilitiesVulnerabilities found in open source packages
Infrastructure as Code (IaC)Misconfiguration issues found in IaC files (relevant for users who provision and manage their infrastructure via code)
SecretsSecret leaks across code files that might hinder access to information, services or assets
LicensesLicense compliance issues found in open source packages and container images
Build IntegrityMisconfigurations in pipelines and VCS platforms integrated with Bridgecrew, found in branch and CI/CD pipelines configuration files

For each code category scanned by Bridgecrew, users can configure "rules" for three types of findings (scan results):

  • Hard Fail - the system will fail the scan when an issue (a violation or vulnerability) is found
  • Soft Fail - the system will notify the user about the issues found, but it will not fail the scan
  • Comments Bot activity - the user will receive comments on his pull requests and fix suggestions from Bridgecrew’s bot

The finding type is based on the following severity thresholds: Low, Medium, High, Critical and Off - the latter means the scan will not fail in any case, nor will the user be notified about any issues.

Example: the user has defined a Hard Fail for all Vulnerability issues in High and above severity, and a Critical vulnerability has been found in a repository from that code category. In this case, the scan will fail (in VCS and CI/CD).

The rule configuration described above allows you to reduce unnecessary noise in your code reviews and focus on the most critical issues.
Bridgecrew enables you to configure two types of Enforcement rules:

  • Main rules apply to all repositories by default.
  • Exception rules apply only to selected repositories. These repositories are visible only to users who have access to them.

Access and Limitations

  • All users can view the main rules. However, only an Admin or Owner can edit the enforcement settings of main rules or add exception rules.
  • An Owner can view, edit or delete only the exception rules applying to repositories he has access to.
  • An Admin can view and edit all main rules, and delete all exception rules.

🚧

Important

Main rules cannot be deleted. Users can only edit the pre-configured behavior of a main rule, or add an exception.

Viewing and Configuring Main Rules

Main rules apply to all repositories by default. They are displayed under Enforcement Settings.

Default Settings For Main Rules

By default, Bridgecrew has pre-configured best practice settings for each main rule and for each finding type. Unless you change those settings, the main rules will be configured as follows:

Vulnerabilities
Hard Fail - Critical
Soft Fail - Low
Comments Bot - Low

Licenses
Hard Fail - Critical
Soft Fail - Low
Comments Bot - Low

Secrets
Hard Fail - Low
Soft Fail - Low
Comments Bot - Low

IaC
Hard Fail - Low
Soft Fail - Low
Comments Bot - Low

Build Integrity
Hard Fail - Low
Soft Fail - Low
Comments Bot - Low

📘

Note

If the user already had an existing rule in the old repo settings, it will be migrated as the default main rule.

Viewing the Enforcement Settings

To view your Enforcement default settings:

  1. From your Bridgecrew dashboard, go to Development Pipeline (the <|> icon).
1908
  1. Select the Code Reviews tab.
  2. From the top right, click Enforcement.
933

The Enforcement wizard will open, displaying the Enforcement default settings for each code category in color-coded bars.

Example: in the image below, the Enforcement settings for the Vulnerabilities category are as follows:

  • Hard Fail for Critical Issues (red)
  • Soft Fail for High and Critical Issues (pink)
  • Comments Bot for High and Critical Issues (purple)
907

Analyzing Failed Issues

The results table displays the status of each of your latest code reviews. For each scan, the number of failed issues found in this scan according to severity thresholds is displayed.

To view and analyze the failed issues found in a specific scan, under Scan failed issues, click the relevant scan. You will see a visual breakdown of all the severity thresholds found in this scan.

497

Editing a Main Rule

To edit a main rule:

  1. Open the Enforcement tab.
  2. In the relevant code category, define the scope upon which you want to apply this rule by selecting the severity threshold you want to configure for each finding type.

Example: in the top image below, in the Vulnerability code category, a Hard Fail is defined for Critical issues (vulnerabilities) only. If you want your scan to result in Hard Fail for a lower severity threshold, e.g. Medium, move the relevant selection bar (red) to Medium. Now, as seen in the bottom image, Hard Fail is set for issues with a severity threshold of Medium and above.

Hovering over a selected bar displays a text detailing the relevant rule.

1093

Rule before editing

1119

Rule after editing

📘

Notes

  1. In the above example, you can see that the Soft Fail selection bar (pink) was also updated, and now scans with Medium or High issues will also result in Soft Fail. This is because Soft Fail is entailed by Hard Fail: a Hard Fail on a certain severity threshold will necessarily entail a Soft Fail on that severity threshold and all the higher thresholds. Meaning, if you configure a Hard Fail for issues with a Medium severity threshold and above, scans with such issues will necessarily result in Soft Fail as well as Hard Fail. The opposite is incorrect - Hard Fail is not entailed by Soft Fail. Thus, if you configure a Soft Fail for issues with a Medium severity threshold and above, scans with such issues will not necessarily result in Hard Fail.
  2. Due to this one-way entailment, you cannot configure a Soft Fail for severity thresholds higher than those that Hard Fail is configured for. For example, if you configure a Hard Fail for issues with a Medium severity threshold and above, you cannot configure a Soft Fail for issues with only a High or Critical severity threshold.
  3. The behavior of the Comments Bot is not dependent on the finding type (Hard Fail / Soft Fail). It can be configured independently or turned off.

If you do not want to receive a certain finding type (Hard Fail / Soft Fail / Comments Bot) at all, set it to Off.

Example: in the image below, Hard Fail is turned off for the Vulnerabilities code category, i.e. no Vulnerabilities will result in Hard Fail.

1162
  1. Select SAVE.

🚧

Reminder

Main rules cannot be deleted!

Viewing and Configuring Exception Rules

Exception settings apply only to selected repositories, which are visible only to users who have access to them. Exception rules can be created for each code category.

Creating a New Exception Rule

To create a new exception rule:

  1. In the Enforcement wizard, select ADD EXCEPTION.
1117
  1. Under Description, enter a description for your exception rule.
  2. Under Repositories, select the relevant repositories from the drop-down menu.
1494
  1. Select the severity threshold you want to configure for each finding type. Note that by default, all finding types are Off.
  2. Select SAVE.
    You will be redirected to the previous screen, where you can see all the exception rules, detailed below.
997

Editing an Exception Rule

To edit an existing exception rule:

  1. In the Enforcement wizard, hover over the relevant exception rule and click Edit.
254
  1. Select the severity threshold you want to configure for each finding type.
  2. Select SAVE.

Deleting an Exception Rule

To delete an existing exception rule:

  1. In the Enforcement wizard, hover over the relevant exception rule and click Edit.
  2. Select Delete this exception.
1016

You will be redirected to the previous screen, where this exception rule will no longer be displayed.