Skip to main content

Create a custom policy

Veracode Package Firewall uses an Open Policy Agent (OPA)-based framework to evaluate dependencies and provide tailored results. You can create and apply custom policies by using the Rego query language. Software Development Kit (SDK) is available to help integrate these capabilities into your workflow.

Create a basic policy

Use this basic policy with an issue rule to block all High and Critical issues.

# METADATA
# title: Limit risk
# description: |
#   Block issues based on risk level.
package policy.v1

import data.phylum.level
import rego.v1

# METADATA
# title: risk level cannot exceed medium
deny contains issue if {
    some issue in data.issues
    issue.severity > level.MEDIUM
}

The title and description in the initial metadata comments are displayed in the Package Firewall UI, and we highly recommend including them.

The package policy.v1 line must be present because it enables OPA to locate the policy rules.

The deny rule includes the specified issue when the if statement evaluates to true. OPA iterates through the job input data and evaluates the expression against the severity level of each issue in the job.

The title field in the metadata comment above the rule is associated with the failure in the output from Package Firewall.

Policy examples

A policy transforms your threat model into a description of why a job is blocked. There are multiple ways to define the conditions that block a job.

The METADATA block contains OPA annotations, which correlate to the schema and support type checking.

Block an issue

The most common reason to block a job is that one of the dependencies has a known issue in one of Package Firewall’s risk domains.

The following example shows how to block based on a per-domain threshold by using an issue rule.

package policy.v1

import data.phylum.domain
import data.phylum.level
import rego.v1

# METADATA
# title: risk level cannot exceed medium
deny contains issue if {
    some issue in data.issues
    issue.domain in {domain.AUTHOR, domain.ENGINEERING, domain.VULNERABILITY}
    issue.severity > level.MEDIUM
}

# METADATA
# title: malicious risk level cannot exceed low
deny contains issue if {
    some issue in data.issues
    issue.domain == domain.MALICIOUS
    issue.severity > level.LOW
}

# METADATA
# title: license risk level cannot exceed high
deny contains issue if {
    some issue in data.issues
    issue.domain == domain.LICENSE
    issue.severity > level.HIGH
}

Given the following input:

{
    "issues": [{
        "id": "b8ad4443-d875-427b-9eda-b4b2fb1d6212",
        "domain": "malicious",
        "severity": 4,
        "tag": "CM0004"
    }]
}

If the policy fails, the output appears similar to the following:

{
    "deny": [{
        "id": "b8ad4443-d875-427b-9eda-b4b2fb1d6212",
        "domain": "malicious",
        "severity": 4,
        "tag": "CM0004"
    }]
}

When Package Firewall receives this output from the policy, it blocks the job and generates a report that identifies the package and describes the issue.

Blocking a dependency

You may also block on a dependency-level characteristic using a dependency rule.

The following policy blocks packages belonging to a namespace. Note: this is just an example; there is already a policy for blocking copyleft licenses.

Block a dependency

You can also block based on dependency-level characteristics by using a dependency rule.

The following example blocks packages that belong to a specific namespace.

Example: A policy already exists for blocking copyleft licenses. For details, see the copyleft license policy.

package policy.v1

import rego.v1

# METADATA
# title: AGPL licensed software is not allowed.
deny contains dependency if {
    some dependency in data.dependencies
    regex.match("(?i)\\bAGPL\\b", dependency.license)
}

Given the following input:

{
    "dependencies": [{
        "ecosystem": "npm",
        "id": "4cc36d79-b8ce-5b7d-89c1-6f6a31f59819",
        "issues": [],
        "issues_complete": true,
        "license": "AGPL-3.0",
        "name": "example-package",
        "version": "1.0.0"
    }]
}

If the policy fails, the output appears similar to the following:

{
  "deny": [{
        "ecosystem": "npm",
        "id": "4cc36d79-b8ce-5b7d-89c1-6f6a31f59819",
        "issues": [],
        "issues_complete": true,
        "license": "AGPL-3.0",
        "name": "example-package",
        "version": "1.0.0"
    }]
}

When Package Firewall receives this output from the policy, it blocks the package download.

Last updated on