Before creating a policy, be sure to review the information in the Vulnerability Policies section.
Navigate to → → → .
Click +Add Policy and select one of the options:
Create a policy for issue creation
Create a policy for prevention
Add a Policy Name and, optionally, a Description, and then click Next.
Set the policy conditions by creating a query that defines the specific findings for which the policy will create issues. Your policy can specify which findings to include and which to exclude.
Preview the list of findings that match your policy. If the results look correct, click Next.
Define the policy scope by selecting one or more asset groups from the dropdown menu. If you don't choose an asset group, the policy will apply to all assets.
If you want to create a new asset group, click Create New Asset Group to open the Asset Groups page in a new browser tab. Click + Add Group and follow the instructions in the wizard. After you've created the new asset group, go back to your original tab and finish creating your policy with new asset group.
Click Next.
Choose the action that will be executed on the findings that match the policy. If you select Create an issue for each matching finding, you must also select the issue severity that will be applied to those issues. You can base the severity of the issue on the severity of the underlying CVE by selecting Use Default CVE Severity in the dropdown menu.
Click Done.
The policy wizard will close, and you will be redirected back to the Vulnerability Policies page.
Set the order of evaluation for the policy.
By default new policies are added to bottom of the policy list. To move a policy up or down in the list, click and hold the arrows in the Name column and drag the policy to the desired position in the list.
We recommend placing wider-reaching, more generic policies towards the bottom of the policy list, and more specific policies towards the top of the list.
Click Save.