Policies and Gates

What is a Gate?

A Gate is a group of policies (checks). Gate can be applied at an organization level. All SBOMs generated in an organization are evaluated against the organization's gate(s) to generate findings.

Gate supports inheritence. A gate associated with a root org will also be applied to child orgs.

A Gate is associated with:

• A set of policies

• Stage, which can be "As Sourced", "As Built", "As Deployed", "As Shipped". A stage represents the stage of the build pipeline where the gate is applied.

• Function Type, which can be any one of the valid function. The function type represents who can modify the gate once the gate is created. A combination of organization and function type decides who can modify the gate.

• Intergration Type, which can be "scm", "image", "sbom upload". The integration type represents the type of integration the gate is associated with.

Why is a Gate important?

A gate provides a mechanism for organizations to evaluate all software that are produced and/or consumed against a set of policies and get visibility into the various dimensions like vulnerabilities, risk level, provenance, license types, code quality, security posture etc.

Lets look at an example. Lets say, CISO of a company wants to understand the risks of the software that is getting shipped. The CISO would create one or more gates as shown below:

• Risky vulnerable components gate

• Risky component Assessment gate

• Risky License Usage gate

• Risky code commits gate

The CISO then delegates the creation of policies (checks) for these gates to a Software Procurement manager, Legal group, Release manager. The gates can then be assigned to the root organization in which case these gates will be applied to all child organizations and assessment happens on all the SBOMs generated.

Now the CISO can see a dashboard which summarizes the policy evaluation results of all the SBOMs

Gate also defines the visibility of the SBOMs, Gates and hence policies. Please refer organization example to understand more.

What is a policy?

A policy is a check that is performed on an SBOM. A search string (english query) can be saved as a policy. The english query can be a combination of AND, OR conditions. A policy can evaluate any dimension of an SBOM - vulnerabilities, security posture, age of components etc.

How to create policy?

Lineaje "Save Search as policy" can be used to create a policy. From the search page, any search query can be saved. A few examples of policies:

A search query "Components with Critical or High Vulnerabilities" can become Risky Vulnerability Policy

A search query "Components with Critical or High Vulnerabilities that are exploitable" can become Exploitable Vulnerability Policy

A search query "Components with code quality issues related to Binary Artifacts" can become Source Repo Misconfiguration Policy