Policy Editor Icon on the Navigation Bar.
The first time the policy editor is launched a default policy bundle is created for the user that includes a simple default policy, an empty global whitelist and a default policy mapping that maps all repositories to the user’s default policy.
The Policy Name field is mandatory and must contain one or more alphanumeric characters.
The Used By field is automatically populated by the system and will show the mappings that use this policy.
The Comments field is optional but recommended.
The Tools section includes four buttons:
|Edit. This button expands the policy rules editor. The number shows the number of rules within the policy.
Once expanded the button changes to display a collapse button.
|Copy. Creates a new copy of the policy with an auto-generated name.|
|Export. Exports the current policy as a JSON document.|
|Delete. Deletes the selected policy.
Note: The policy can only be deleted if it is not used by any policy mappings. If this policy is in use then a lock icon will be displayed.
There are three ways to create a new policy:
- Press the button to create a new, empty policy.
- Copy an existing policy using the button.
- Import a policy from a JSON file using the button.
Creating a new policy will automatically generates a name, eg New Policy 2, which should be renamed to be more descriptive.
The edit button will expand the policy to show the rules editor.
New rules can be added using the button.
Rules can be deleted using the button.
The policy rules are categorized into Gates which include multiple Triggers.
If a trigger requires Parameters, for example the Dockerfile Checks / Exposed Ports trigger, then the available parameters will be displayed in a dropdown list.
The action field specifies the action to be taken if the Gate Trigger is fired – for example if a Critical CVE is encountered.
The policy action specified can be one of the following:
|Critical error that should stop the deployment by failing the policy evaluation.|
|Ok to proceed.|
|Issue a warning|
The order of policy rules is not significant since all policy rules are evaluated even if a STOP action is encountered during evaluation.
A bundle containing all policies, whitelists and mappings can be downloaded using the button which will provide a JSON file that can be loaded into the Anchore Jenkins Plugin or Anchore open source engine.
Note: The Anchore Cloud currently only supports upload of individual policies or whitelists but not node support uploading of an entire bundle.