Create an automation rule
Learn how to create an automation rule for your repositories.
Go to Automations in the left side menu (You can also access automations for a specific repository by clicking the Automate button in the top right corner)
Click the +New button, then +New rule
Select the repository(s) you want the rule to be applied to
Build your if-statement:
Choose criteria for the rule to trigger, e.g. CVSS is at least high (7.0-8.9). Click on AND or OR to add a new criterion. You can select multiple criteria connected by the operators. See below for more information
Choose an action to be executed when the condition is true, e.g. fail pipeline. See below for more information
If you don’t want the rule to apply for vulnerabilities that have been marked as unaffected by you or someone on your team, leave the pre-filled checkbox in the bottom right checked
Click on Generate rule and review any warnings (if applicable). Make sure that the statement corresponds to what you were looking to achieve with your rule
Click on Save
Rule Conditions
Rules can incorporate multiple OR and AND operators. When working with multiple criteria and operators, the following precedents are applied:
AND conditions inherit previous IF or OR conditions
OR conditions do not inherit the previous IF or OR condition
Rule Actions
You can select one of the following actions to be performed once a rule is triggered:
Fail pipeline - if the rule conditions are met, your pipeline fails
Pipeline warning:
GitHub - if the rule conditions are met, your pipeline passes, the pipeline check is set to neutral and a warning is printed
GitLab, Bitbucket and Azure DevOps - if the rule conditions are met, your pipeline passes and a warning is printed
Notification by email - if the rule conditions are met, you receive an email notification
Notify user groups by email - if the rule conditions are met, all users in a chosen user group receive an email notification
Mark as unaffected - if the rule conditions are met, the affected vulnerabilities are marked as unaffected
Flag as vulnerable - if the rule conditions are met, the affected vulnerabilities are marked as vulnerable
Trigger webhook - if the rule conditions are met, a webhook is sent.
Missing CVSS score
Rules that use the CVSS score as one of the conditions, might not trigger for vulnerabilities that lack a CVSS score. This does not mean that the vulnerability is not severe, but that the data source lacked the CVSS score information. To account for this, you can add the statement:
OR CVSS is missing
Keep in mind that adding the OR statement does not take previous IF or AND statements into consideration.
Production Dependencies
This option is currently supported for Javascript (Yarn, NPM), Nuget, Java (Maven, Gradle), PHP (Composer), Python (requirements.txt), and Go.
You can make your policies/automations only trigger if the related dependency is used in production, to reduce the number of false positives or very low-risk triggers. To set this up, simply add another condition to the rules you want triggered only for non-dev dependencies:
Automation Rule Examples
Prevent new dependencies with vulnerabilities
Imagine you have a developer branch called dev where you add new exciting features. Being security-aware, you want to fail the pipeline if a new commit introduces a new vulnerability with a severity of high or more. You also want to be notified of this incident.
Prevent unknown license families and GPL
In this scenario, we want to fail the pipelines if we include dependencies with either an unknown license family, or if the dependencies has any of the GPL-2.0 and AGPL-3.0 licenses. We also wish to notify all the administrators for the company account.
Last updated