Package: Invicti AppSec Core (on-demand), Invicti AppSec Enterprise (on-premise, on-demand)
Add new rule
Automation rules can be created on a global level by admins to automate various actions based on specific conditions.
Rule details
There are three different types of rules: Vulnerability, SBOM, and Scan.
Vulnerability
This tab can be used when actions need to be triggered based on the characteristics of vulnerabilities.
Condition selection
The Condition selection can be used for cases where actions will be triggered regardless of the number of vulnerabilities that match the condition.
Count selection
The Count selection can be used when there's a need to define the minimum number of vulnerabilities that should match the condition before triggering the action (only CI/CD security criteria is available for this selection). Scanner type and branch (or default branch) fields are mandatory fields to fill out.
When a rule is created by filling out the fields, the number of vulnerabilities that will be affected by that rule is shown at the bottom.
SBOM
This tab can be used when actions need to be triggered based on the characteristics of SBOM components.
When a rule is created by filling out the fields, the number of SBOM components that will be affected by that rule is shown at the bottom.
Scan
This tab can be used when actions need to be triggered when a scan hasn't been run on projects for longer than desired.
The same section can be used to trigger an action when a vulnerability file hasn't been imported to projects. Since a scanner name is a mandatory field while importing vulnerabilities to Invicti AppSec, in this case, the relevant scanner name used while importing files should be selected under the Scanner section.
Actions
There are four types of actions that can be triggered by a rule:
- Issue: Creating tickets on issue managers like Jira, ServiceNow etc.
- Alert: Creating alerts on Slack, Teams, Email etc.
- CI/CD: Creating security criteria to fail builds in CI/CD pipelines
- Suppression: Creating suppression rules for Invicti AppSec to automatically suppress vulnerabilities
Suppression action can't be combined with other actions and as soon as it's enabled other actions will automatically be disabled and vice versa.
Action compatibility
Each rule can be associated with certain actions as shown below:
| Rule Type | Issue | Alert | CI/CD | Suppression |
|---|---|---|---|---|
| Vulnerability - Condition | Yes | Yes | Yes | Yes |
| Vulnerability - Count | Not available | Not available | Yes | Not available |
| SBOM | Not available | Yes | Yes | Not available |
| Scan | Not available | Yes | Yes | Not available |
Apply to section
Rules can either be applied on all projects as default, or be associated with certain projects using labels or teams.
By selecting the "None" option, it's also possible to create a rule on a global level without associating it with any projects but making it available for different teams to import to their projects under project settings.
Rules entered on the project level work alongside global rules and none of them override each other.
Issue assignment rules
Issue assignment rules can be created to make Invicti AppSec automatically create tickets on issue managers for vulnerabilities that match the entered rule.
If there's a default issue criterion entered on a global level, and a different one entered on a project level, Invicti AppSec checks for both before deciding if any vulnerabilities need to be assigned an issue on the issue manager.
Vulnerability based rules trigger an issue assignment action at the "Notifying" stage of a scan/import. This means that existing vulnerabilities in Invicti AppSec won't be assigned an issue until the next time they're discovered by a scanner or imported manually.
It's possible to edit global issue rules imported to projects under project settings. However, those edits will only impact the specific project, and global rule will remain unchanged.
Alert rules
Alerts can be created on internal communication tools for certain cases defined in Invicti AppSec.
- Vulnerability based rules trigger an alert at the "Notifying" stage of a scan/import. Rules that contain "WOE" or "Overdue" fields keep triggering every 30 minutes
- SBOM based rules trigger an alert at the next SBOM component creation cycle
- Scan based rules trigger an alert every day
CI/CD security criteria
CI/CD Security Criteria can be used to fail builds in CI/CD pipelines and projects failing their CI/CD Security Criteria can easily be tracked on global and product-level dashboards.
- Scan based rules trigger CI/CD security criteria checks every 24 hours
- Vulnerability based rules trigger CI/CD security criteria checks every 10 minutes
- SBOM based rules trigger CI/CD security criteria checks in every SBOM component scan
Suppression rules
Suppression rules automatically suppress vulnerabilities matching the entered condition.
The rule becomes effective immediately and impacts existing vulnerabilities.
The rule keeps running in the "Analyzing" stage of each scan going forward to suppress vulnerabilities discovered in future scans.
Need help?
Invicti Support team is ready to provide you with technical help. Go to Help Center