Saltminer can be configured with an application-level security policy compliance metric that is based on the FoD model but may be extended to support other sources.
Compliance may be based on combinations of the following parameters:
- Star Rating: The minimum star rating an application must be awarded to be determined as passing.
- Remediation Grace Period: Specifies the remediation grace period for each issue severity level. When an issue found in a QA/Test or Production release it is within its grace period it will not affect the pass/fail status of the release.
- Required Scan Frequency: Specifies the required scan frequency of each scan type. If a QA/Test or Production release has not completed a scan within the designated period of the scan type it will fail. The value 0 means no scan is required.
Compliance is calculated as new documents are ingested from Fortify. A series of ingest pipelines can be configures with different values for the above parameters. The pipelines are executed in the following order:
- saltminer-issues-risk-roller-pipeline – a set of two scripts which calculate the compliance and risk scores for each issue
- saltminer-pass-fail-issues – a set of two scripts which calculate the time since the last scan and determines pass/fail based on number and type of vulnerabilities
- saltminer-asset-risk-roller-pipeline – a set of three scripts which checks that an asset has been scanned and sets the compliance and risk scores based on the scores in the latest scan
- saltminer-pass-fail-assets – a set of four scripts which evaluates pass/fail for SAST, DAST, Mobile, and Open Source scan frequency