Rules and Rulesets

A ruleset in Ion Channel gives you the power to control the condition under which a project passes or fails an analysis. 

In any given ruleset, there may be one or more rules applied. For a project to pass an analysis, each scan governed by a rule must complete and ensure that the requirements have been met. If any rule fails its governance, the entire analysis will be considered to have failed. For example, if a rule which requires that no vulnerabilities exist fails because a vulnerability was detected, the analysis will be considered to have failed regardless of whether all other rules have passed or not.

When integrated with your CI/CD workflow, Ion Channel's rulesets can help enforce your security policies and prevent 'bad code' from being merged into protected branches and live production environments.

Another benefit of rulesets will apply to projects that are configured to deliver artifacts or code to an S3 bucket. Before the code is delivered to a high-security environment, it is analyzed and evaluated against the rules in the applied ruleset, ensuring that all of your policies are enforced by canceling the delivery if the analysis fails; only passing projects are delivered. If a virus is detected, the delivery will always be canceled regardless of whether that rule is enabled in the ruleset or not.

Available rules:

• Virus: When this rule is enabled, an analysis will fail if any virus is detected. Virus definitions are obtained from ClamAV.
• Critical/High Vulnerabilities: When this rule is enabled, an analysis will fail if the number of high or critical severity vulnerabilities discovered exceeds the maximum allowed value. Vulnerability severity is based on NVD CVSS scores or NPM security advisory severity. For NVD, if both version 2.0 and 3.0/3.1 severity ratings exist for a vulnerability, the 3.0/3.1 scoring will be used.
• External Vulnerabilities: This is a feature for our VPC (Virtual Private Cloud) customers that is deployed as part of a CI/CD pipeline. If this rule is enabled and an external vulnerability file is not provided or configured, the analysis will fail. Therefore, it is highly recommended that this rule not be enabled unless an external vulnerability file will be provided with every analysis.
• Has License: When this rule is enabled, an analysis will fail when no valid license file is detected.
• Dependency No Version: When this rule is enabled, an analysis will fail if any dependency without a version specified is detected. This applies to both direct and transitive dependencies.
• Major Versions Behind: When this rule is enabled, an analysis will fail if any direct dependency's major version is behind the most recent version by more than the maximum allowed value.
• Dependency More Than One Version Behind: When enabled, all of the project's direct dependencies major version must be fewer than one version behind the most recent major version. At the moment, analyses that fail this rule will not display this information on the Dependencies Outdated tile. This functionality will be implemented very soon.
• About YAML: This rule has been deprecated and is no longer an option to include in new rulesets. Any existing rulesets that have this rule applied will not include the About YAML scan in future analyses.
• Single Committer: When this rule is enabled, an analysis will fail if 1 or fewer committers are detected. For committers to be detected, the project must be a public GitHub repository. All other types of projects will fail this rule.
• Days Since Last Commit: When this rule is enabled, an analysis will fail if the number of full days since the last commit exceeds the number of days specified. For commits to be detected, the project must be a public GitHub repository. All other types of projects will fail this rule.
• Code Coverage: When enabled, the project must have code coverage greater than the selected threshold. Code coverage is obtained from 3rd party tools and is configured for Ion Channel via the Ionize CLI. If no code coverage file is accessible, the analysis will fail. Therefore, like the external vulnerability rule, it is highly recommended that this rule not be enabled unless a code coverage file will be provided with every analysis.

To create a ruleset:

1. Log in to the Ion Channel console.
2. From the hamburger menuin the upper right corner, select Add a Ruleset.
    -or-
   From the Rulesets page, select the + icon located to the right of the team drop-down menu.
3. Ensure the correct team is displayed in the team drop-down menu on the right-hand side.
4. Enter a name for the ruleset that allows you to identify which rules are included in the ruleset easily. When creating a project, this name will appear when selecting which ruleset to apply to the project.
5. If desired, enter a description of the ruleset. This description can be used to provide more detailed information on the ruleset and will appear in your list of rulesets and within the ruleset itself.
6. Enable one or more rules by selecting the Yes radio button under Enable Rule. Where applicable, also adjust the Threshold value if desired.
7. Select Add ruleset when you are happy with the current settings.

Obtaining a ruleset ID

With the API and CLI tools, several functions will require that you provide a ruleset ID that is used to identify a ruleset. This ID can be copied by navigating to the Rulesets page, hovering your mouse over the wrench icon, and selecting Ruleset ID.

Archiving Rulesets

Rulesets that are no longer in use may be archived to prevent them from appearing in the ruleset selector when creating a new or editing an existing ruleset. Hover your mouse over the wrench iconlocated to the right of the ruleset and select the Archive button to prevent that ruleset from being used.

The Archive button will not be present if the ruleset is currently applied to any projects. Update existing projects that have this ruleset applied to a new ruleset first.

Filtering Rulesets

By default, only active rulesets are displayed on the Rulesets page. Select the filter dropdown near the upper right-hand corner to view any archived rulesets that may exist.