• Browse topics
Login
Login

SNYK LEARN LOGIN

OTHER REGIONS

For Snyk Enterprise customers with regional contracts. More info

Policies for asset management and discovery with Snyk Essentials and Snyk AppRisk

Product Training

Overview

Asset policies is found at the Group level, under Policies, as a policy tab. Asset policies allow companies to specify rules such that, based on triggers and metadata fields, actions can be defined and executed.

For example,

  • if a new repository is added without Snyk coverage, slack or email can trigger a message.
  • Assets can automatically be tagged or classified based on provided criteria

For prototyping policy matches, see criteria examples and how to use inventory in the Inventory lesson.

Policy creation

To create a policy, click Policy on the left hand menu, then select the Asset tab at the top.

Policies generally fall under four categories

  • Sending a notification via Email or Slack
  • Setting a tag that assists with filtering or defining policies
  • Setting a classification, indicating the importance of an application
  • Setting a coverage policy to determine what controls are run and, optionally, frequency they must be run

You can find common policy examples and suggested settings in the documentation for Policy use-cases. Click the links on this page for more information about the relevant use cases

The following videos provide examples and tips for creating policies.

  • Policy overview video: 3m16s
  • Asset Policy editor video (3m52s)
  • Asset Policy editor - And/Or operators for filters video: 1m58s

Coverage policy example

  • Policy editor - Asset coverage policy example video: 1m59s

Scan your code & stay secure with Snyk - for FREE!

Did you know you can use Snyk for free to verify that your code
doesn't include this or other vulnerabilities?

Scan your code

Policy editor templates

  • Policy templates - created by Snyk for common policies and best practices. Learn how to use a policy template video: 1m25s

Additional tips

  • When creating policies checking for the use of Snyk Code or Snyk Open Source, be clear on the use case. Is it:
    • Coverage you are typically looking if all tools are in use
    • Coverage gaps are typically where one or more are not in use
  • Don't forget to filter by asset-type=repository in most cases. If you're using OR operators in your rules you may need to create a higher level block to nest a rule with an OR in it.
  • Repository Name is using the Asset Name option when selecting "Contains" or "Not Contains"
  • The URL for a repository is identified by the Attribute when asset-type=repository
  • The default rescan for Snyk Open Source is one day, whereas Snyk Code is one week, however, note that a rescan will take place when pullrequest/mergerequest are merged, provided the webhook for the associated PR check is present. Due to the different default rescan schedule, it potentially necessitates two policies being created for coverage.

See documentation for common implementation examples of policies:

What to learn next?

general Prioritizing issues with Snyk Essentials and Snyk AppRiskNEW

Prioritizing issues with Snyk Essentials and Snyk AppRisk

Using Issues (Snyk Enterprise Plan) and Issue Insights (Snyk AppRisk) to review and prioritize issues.
0% Completed
 
general Integrations for asset management and discovery with Snyk Essentials and Snyk AppRiskNEW

Integrations for asset management and discovery with Snyk Essentials and Snyk AppRisk

In this lesson you will learn the core capabilities and initial integrations with Snyk Essentials and additional capabilities introduced with the purchase of Snyk AppRisk
0% Completed
 
general Reviewing Inventory for asset management and discovery with Snyk Essentials and Snyk AppRiskNEW

Reviewing Inventory for asset management and discovery with Snyk Essentials and Snyk AppRisk

The Inventory provides a central, filterable view of all the detected assets, their control coverage, and essential metadata.
0% Completed