Global Policies

The Rules Config tab within the Deployment Firewall page is used to customize rules at a global level. The pre-defined deployment firewall rules that are listed can be customized as per your requirement using this tab. The severity, action and status of the rule can be changed as needed. The changes made in the rules are reflected across all the applications connected to Delivery Shield.

To View the Rules:

Navigate to Policies tab. The Rules Config details page is displayed. The top panel displays the various stages such as Source, Build, Artifact and Deploy.

Each stage has a colour bar as shown below. Blue color indicates the number of enabled rules with Alert action, red colour indicates the number of enabled rules with Prevent action, and grey colour indicates the number of disabled rules.

Hovering over each stage displays a popup with the respective count for Active and Prevent, Active and Alert and Disabled as shown below:

The following details of the rules are displayed after the panel:

• Rule : Displays the name of the rule.

• Tag : Displays the related tags for the rule. The tags indicate to which security framework the rules are complied with. You can also add user-defined tags.

• Stage : Displays the stage for which the rule is created.

• Category : Displays the category of the rule.

• Severity : Displays the severity or impact of the rule namely Major, Critical or Normal.

• Action : Displays whether the rule displayed is set as an Alert or Prevent. If the action is set to alert, when the rule fails an alert is generated but the deployment succeeds. Similarly, if the action is set to prevent, when the rule fails the deployment will be blocked and an alert will be generated.

• Description : Displays the description of the rule.

• Status : Displays whether the rule is enabled or disabled. You can Enable or Disable the rule for the selected application by clicking the Status radio button. If the rule is enabled, the status button is green in color.

You can choose the group or team for which you want the policies to be listed by clicking the Teams button. On clicking Teams, a popup appears as shown below:

Select the team name for which you want the policies to be displayed, and click Apply. The policies related to that team or group are only displayed. To know more on teams, refer Viewing Access Management.

To Customize the Rules:

The displayed rules can be customized as per your requirement. The Severity and Status field for an individual rule or a set of rules can be customized.

To customize individual rules

• Select the rule for which you wish to change the severity or status field.

• Click the Severity drop down to change the severity of the rule and Action drop down to change the rule to be an alert or prevent.

• Click Save Changes to save the modifications. A popup appears.

• Choose New Applications to apply this change for the newly added applications. ( The changes will reflect to the applications that are added after the modifications are saved only).

• Choose Both Existing and New Applications to apply this change to existing applications as well as newly added applications.

• Click Save Changes. The changes to the rules are saved.

To customize a set of rules

• Click Bulk Edit.

• Select the rules you need to modify.

• Click the Update Action drop down to change the action of the rule.

• Click the Update Status drop down to change the status of the rules. Select Enable All to enable the selected rules and Disable All to disable the selected rules.

• Click Save Changes to save the modifications. A popup appears.

• Choose New Applications to apply this change for the newly added applications. ( The changes will reflect to the applications that are added after the modifications are saved only).

• Choose Both Existing and New Applications to apply this change to existing applications as well as newly added applications.

• Click Save Changes. The changes to the rules are saved.

To Add Tags:

You can add your customized tags to the Tags column.

• Select the rule for which you want to add tags.

• Click near the already available tags as the arrow indicates in the image below:

• A popup to add tags is displayed. Add the required tag in the Add a Tag column.

• A message as shown in the image below appears once you add a tag.

• Press Enter. The tag gets added and a message (Successfully saved) is displayed as shown below:

• To delete the added tags, click on the space near the tags. The popup appears listing the available tags.

• Click on the 'x' mark provided near the added tags.

• The tag gets deleted and a message (Successfully unassigned) is displayed as shown below:

Smart Search

The smart search option available in this page, helps you to search the available Rules based on Action, Severity, Stage, Status, Policy and Tags.

The following example shows how to search for rules based on Tags.

• Select Tags from the search drop down. The various tags that are available are displayed. Select the checkbox near the tag for which you want to filter the assigned rules.

• The rules associated with the selected tags are displayed.

Sync Policies

The Sync Policies option is a feature added to the page. This option allows users to create user-defined rules. To create user rules, you need to integrate Custom Policy Source in Delivery Shield, as shown below:

To Integrate Custom Policy Source

To Integrate Custom Policy Source:

1. Navigate to Config > Integrations.

2. In the Others panel, click on Custom Policy Source.

1. The Custom Policy Source integration page is displayed.

2. Enter the Repo URL & Path and Token value of your custom policy source account.

1. Click Save. The tool is integrated.

2. You can edit the entered values by clicking the Edit option as shown below:

1. Enter the new Repo URL & Path and Token value and click Update.

The new values get updated.

To Create Rules:

Go to your Github path that was added to the Delivery Shield secret. Create the required rule with the following fields as given below:

• Rule name: The name of the created rule.

• Rule Severity: The severity of the rule, namely: Low, Medium, and High.

• Rule Action: The rule type, Alert or Prevent.

• Rule Description: A description of the created rule.

• Variables: The set of system defined values used to validate the policy. For example: github_repo_visibility

• Rule Stage: The stage in which the rule needs to be applied, namely: Source, Build, Artifact and Deploy, .

• Rule: The rule script, ( a rego-based script).

The rule gets added. You can create any number of rules.

A sample user defined policy or rule is given below. This rule indicates that the github repository should not be publicly visible and also public repositories should not be allowed.

ruleName: Github Repo Visibility Validation Policy
ruleSeverity: Medium
ruleAction: Alert
ruleDescription: Github Repository must not be publically visible
variables: github_repo_visibility
ruleStage: Source
rule: |
    package opsmx
    
    deny[msg] {
          checkvisibility := inpu.github_repo_visibility
          checkvisibility == "public"
          msg + "Public repositories are not allowed"
          
    }

To Access the User-Defined Rules:

The created rules need to be synced in order to be applied in the deployment stages. Follow the steps provided below to sync the created rules:

• Navigate to Deployment Firewall > Rules Config.

• Click the Sync Policies option present at the top right corner of the Rules Config page.

• The Sync Policies page is displayed with the list of policies created by the user.

• Click Sync. The user-defined rules get synced and gets added to the rule list.

If there are any errors in the values added to the fields, the rules cannot be synced and shows sync error as shown below:

A tag named User Defined Policies is added to the Tags column once the user defined rules are synced. You can search for the rules using this tag option.