This article will show you how you can use policies to enforce your business rules and logic.
Let's say that your business policies require you to flag any use of private data with an audit logging tag. This isn't a sensitive data leak but the creation of an access audit log for compliance purposes. To implement tagging, you can use the logger warn method in the application:
The following policy shows you how to tag three different methods with an
audited custom tag. It also identifies any use of the data that should be tagged but aren't; these are then marked as an Insufficient Logging vulnerability.
Whenever there are any issues with data that should be tagged but aren't, you'll see the "Insufficient Logging" category in the Dashboard, along with the number of findings present.
Clicking on the category brings up a list of identified findings.
You can get in-depth information for each finding by opening each one up individually.
Narrowing the Results
The policy above returns too many results; we can narrow what NG SAST returns by focusing on just data used in specific code (in this case, we want to focus on the controller files). To do so, we can enhance the conclusion section to add another IO flow called http. Then, controllers will automatically get tagged as
Then, NG SAST only reports the findings that occur in the controllers.