Policies allow you to describe the data and methods in your application and how they relate to each other. This information is helpful to NG SAST because it enhances the code property graph generated, allowing you to generate higher-level conclusions and relevant security findings.
More specifically, NG SAST uses policies to gain insight into:
- How your application communicates with other applications, APIs, services, etc.
- The transformations that exist on your data
- The information flows that should be considered as security violations
NG SAST includes default application policies that define patterns; data flows that match the established patterns typically lead to security violations or data transformations.
The included policies define the most commonly found patterns. You can create custom policies to provide additional knowledge regarding your app and exclude parts of a default policy that don't apply to your app.
You can use custom policies instead of or in conjunction with NG SAST's default policies.
Policy file locations
NG SAST policies are located in the ShiftLeft repository; using ShiftLeft's CLI, you can:
- View a policy
- Upload a custom policy you've written
- Manage default policies
The namespace information informs the name of the policy. For example, a policy you'd use whenever your application calls the java.io.ObjectInputStream class from the Java Standard Library is available in ShiftLeft's repository as java.io/ObjectInputStream.