LogoLogo
WebsitePricingBlog
  • Debricked Documentation
  • Overview
    • Getting started
      • Create a OpenText Core SCA account
      • Running OpenText Core SCA
    • Help
      • Frequently asked questions (FAQ)
      • Upgrade your account
      • Get help in OpenText Core SCA tool
    • Language support
      • C# - Nuget, Paket
      • CycloneDX SBOM
      • Go - Go Modules, Go Dep, Bazel
      • Java & Kotlin - Gradle, Maven, Bazel
      • JavaScript - NPM, Yarn, Bower
      • Objective-C - CocoaPods
      • PHP - Composer
      • Python - Pip, Pipenv
      • Ruby - RubyGems
      • Rust - Cargo
      • Swift - CocoaPods
      • Linux package managers
      • Scala - SBT
    • Security overview
  • Product
    • Vulnerability management
      • Security terms
      • Data sources
      • See your data
      • Pull Requests (PR)
        • Enable Pull Request support
        • Solve vulnerabilities using Pull Requests (PR)
        • Solve vulnerabilities using Pull Requests (PR) via API
      • Set a review status
        • Snooze or pause a review status
      • Reachability Analysis
        • Set up Reachability Analysis for Java
        • Set up Reachability Analysis for Go
      • Solve vulnerabilities manually with root fixes
    • License risk management
      • Licence families
      • License risks
      • Set up a use case
        • Set up a use case using API
      • Proxy non-standard license identifiers
    • Project health
      • Contributors
      • Popularity
      • Security
    • Open source select
      • Search projects
      • Compare projects
      • View more details
      • Start left policies
      • OpenText Core SCA Select Browser Extension
      • End of Life (EOL)
    • Automation
      • Create an automation rule
      • Edit an automation rule
      • Default automation rules
      • Set up webhooks
      • Policies
      • Monitoring
    • Exporting or SBOM
      • Overview
      • License export
      • Vulnerability export
      • SBOM export
        • CycloneDX SBOM export
        • SPDX SBOM export
    • Administration
      • Generate access token
      • Account
        • Change your password
        • Delete your account
        • Delete company account
      • Billing
        • Manage contributing developers
        • Manage billing frequency
        • Manage payment methods
        • Access invoices
        • Manage your subscription
      • Settings
        • Enable and disable snoozing vulnerabilities
        • Supported language for Debricked tool
        • View logged events
        • Two-Factor Authentication (2FA)
      • Users
        • User roles (freemium and premium)
        • Role-Based Access Control (Enterprise)
        • Manage users
          • Add a new user
      • Repositories
        • Default Branch
        • Repository groups
        • Manually upload a dependency file
        • Manage your commits
  • Tools & Integrations
    • Command Line Interface (CLI)
      • Debricked CLI
        • High performance scans
        • File fingerprinting
      • Legacy CLI
    • CI/CD integrations
      • GitHub
      • CircleCI
      • BuildKite
      • GitLab
      • Bitbucket
      • Azure DevOps
      • Argo workflows
      • Travis CI
      • Jenkins
      • Bamboo
      • TeamCity
    • Fortify on Demand (FoD)
    • Fortify Software Security Center (SSC)
    • Debricked APIs
      • Open source select API
    • Integrated Development Environments (IDEs)
    • Single Sign-On (SSO)
      • Single Sign-On (SSO) through Okta
      • Single Sign-On (SSO) through Microsoft Entra ID
      • Single Sign-On (SSO) through JumpCloud OIDC
      • Single Sign-On (SSO) through GitHub
  • Tips & Tricks
    • Debricked CLI migration guide
    • Workarounds
      • Scanning Conan (C++) projects
      • Scanning a repository with different services
      • Scanning Docker images
      • Automations: Do not fail on found CVE lacking a fix
Powered by GitBook
LogoLogo

Company

  • Pricing
  • Blog

Support

  • Privacy Policy
  • Terms & Conditions
  • Service Status

Resources

  • Vulnerability DB
  • Open Source Select

© 2018-2024 | Open Text

On this page
  • Rule conditions
  • Rule actions
  • Missing CVSS score
  • Production dependencies
  • Automation rule examples

Was this helpful?

Export as PDF
  1. Product
  2. Automation

Create an automation rule

Learn how to create an automation rule for your repositories.

  1. Go to Automations on the left side menu (You can also access automations for a specific repository by clicking the Automate button on the top right corner).

  2. Click the +New button, then +New rule.

  3. Select the repository(s) you want the rule to be applied to.

  4. Build your if-statement:

    1. Choose criteria for the rule to trigger. For example, CVSS is at least high (7.0-8.9). Click AND or OR to add a new criterion. You can select multiple criteria connected by the operators. See below for more information.

    2. Choose an action to be executed when the condition is true. For example, fail pipeline. See below for more information.

  5. If you do not want the rule to apply for vulnerabilities that have been marked as unaffected by you or someone on your team, leave the pre-filled checkbox in the bottom right checked.

  6. Click Generate rule and review any warnings (if applicable). Make sure that the statement corresponds to what you were looking to achieve with your rule.

  7. Click Save.

Rule conditions

Rules can incorporate multiple OR and AND operators. When working with multiple criteria and operators, the following precedents are applied:

  • AND conditions inherit previous IF or OR conditions

  • OR conditions do not inherit the previous IF or OR condition

Rule actions

You can select one of the following actions to be performed once a rule is triggered:

  • Fail pipeline - If the rule conditions are met, your pipeline fails.

  • Pipeline warning:

    • GitHub - If the rule conditions are met, your pipeline passes, the pipeline check is set to neutral, and a warning is printed.

    • GitLab, Bitbucket and Azure DevOps - If the rule conditions are met, your pipeline passes, and a warning is printed.

  • Notification by email - If the rule conditions are met, you receive an email notification.

  • Notify user groups by email - If the rule conditions are met, all users in a chosen user group receive an email notification.

  • Mark as unaffected - If the rule conditions are met, the affected vulnerabilities are marked as unaffected.

  • Flag as vulnerable - If the rule conditions are met, the affected vulnerabilities are marked as vulnerable.

  • Trigger webhook - If the rule conditions are met, a webhook is sent.

Missing CVSS score

Rules that use the CVSS score as one of the conditions, might not trigger for vulnerabilities that lack a CVSS score. This does not mean that the vulnerability is not severe, but that the data source lacked the CVSS score information. To account for this, you can add the statement:

OR CVSS is missing

Keep in mind that adding the OR statement does not take previous IF or AND statements into consideration.

Production dependencies

This option is currently supported for Javascript (Yarn, NPM), Nuget, Java (Maven, Gradle), PHP (Composer), Python (requirements.txt), and Go.

You can make your policies or automations only trigger if the related dependency is used in production, to reduce the number of false positives or very low-risk triggers. To set this up, simply add another condition to the rules you want triggered only for non-dev dependencies:

Automation rule examples

  • Prevent new dependencies with vulnerabilities

    Imagine you have a developer branch called dev where you add new exciting features. Being security-aware, you want to fail the pipeline if a new commit introduces a new vulnerability with a severity of high or more. You also want to be notified of this incident.

  • Prevent unknown license families and GPL

    In this scenario, OpenText Core SCA fails the pipelines if there are dependencies with either an unknown license family, or if the dependencies have any of the GPL-2.0 and AGPL-3.0 licenses. OpenText Core SCA also notifies all the administrators for the company account.

Last updated 3 days ago

Was this helpful?