Before we jump into how to build the policy, let's review the main use-cases that are currently available:

• View a scan report - each PR/commit scan creates a new event on the relevant asset with a link to the scan report. The event appears in the events tab in the assets' tab

• Be notified on critical findings - the policy includes the Email/Slack action that sends a notification when certain findings match a predefined filter (such as critical findings on a class A asset)

Policy steps

The CI integration policy is composed of few steps. The trigger step and at least one action step are mandatory, however the other steps are optional.

A common CI integration policy will include the following steps:

1. Trigger - to initiate the policy execution on certain PR’s/commits

2. Run Scan Action - to scan the PR/commit’s code with built-in scanners

3. Filter - select which findings are critical and should get immediate attention

4. Send notification action - send email or Slack to notify when certain critical findings has been discovered. Notice that a notification will be sent only when new findings were discovered (any existing defects will be ignored). When using the Send Email action the policy rule will also notify the committer automatically (as long as the committer has a public email address available).

The Trigger Step

The policy starts with a trigger step that defines when to trigger the policy itself. Fields to configure:

1. Choose Source Control Manager - pick the relevant SCM from the list

2. Personal Access Token - add a PAT with adequate permissions

3. Choose Event - select on what type of events the policy should be triggered

4. Where - define filtering criteria based on SCM related data, such as the commit message, project name, etc.

Required SCM Permissions

See the token permissions that are quired per SCM to execute the CI integration policy