Book a demo

Open Source Security Policies

Open Source Security policies identify vulnerabilities and risks in open-source and third-party components that your applications rely on. Addressing these issues early in the CI/CD process can prevent supply chain attacks, data exposure, and system compromise.

The article describes the policies in this category, configuration options, and the impact of policy violations. For an overview of policies and policy management, see the Policies article.

View and manage Open Source Security policies

Open each policy to view the business impact and optional settings.

Vulnerable dependency (CVE) in code

Purpose: Detects known vulnerabilities (CVEs) in third-party dependencies used by the application code.

Business impact: Using dependencies with known CVEs exposes applications to breaches, unauthorized access, and system failures. OSS/SCA scanning identifies these vulnerabilities early and reduces supply-chain risk. Incidents such as Log4Shell show how a single vulnerable library can impact many applications.

Setting
Description
Default

ON/OFF (toggle)

Enable/disable the policy.

ON

Show issues of severity (dropdown)

Limits which severities appear as issues.

All (including Info)

Ignore Application Business Priority for severity calculation (checkbox)

When enabled, severity is not adjusted based on application priority.

OFF

Vulnerable base image (CVE) in Dockerfile

Purpose: Detects known vulnerabilities (CVEs) in base images referenced in Dockerfiles.

Business impact: Scanning Dockerfiles for vulnerable base images identifies security flaws at the source, before they appear in the final container image. This helps remediate issues at the foundational level and prevents weaknesses from spreading across all containers built from the same image. Addressing base-image CVEs early reduces the risk of unauthorized access, data breaches, and other security incidents.

Setting
Description
Default

ON/OFF (toggle)

Enable/disable the policy.

ON

Show issues of severity (dropdown)

Limits which severities appear as issues.

All (including Info)

Ignore Application Business Priority for severity calculation (checkbox)

When enabled, severity is not adjusted based on application priority.

OFF

  1. Open the Active Issues page.

  2. Use the Category filter and select the policy category to view related active issues.

  3. Use the Policy filter to narrow the list to a specific policy.

  4. Apply the Category and Policy filters separately or together, depending on how specific you want the results to be.

  5. Use the search box to refine results, such as filtering by file name, keyword, or rule identifier.

You can also view affected dependencies on the SBOM page or in an application’s Issues tab.

When you change a policy’s severity, ON/OFF toggle or any other setting, you must save the current profile or create a new one.

  • To save the current profile, click SAVE in the page header.

  • To create a new profile, click SAVE AS in the page header. For instructions, see the section Create or edit policy profiles in the Policies article.

Last updated