This article will show you how to create a policy that instructs NG SAST to ignore vulnerabilities that have a sanitization function in the dataflow when analyzing your application. Developers often use sanitization functions in their application's source code to sanitize user input. This protects against common attacks, such as SQL Injection attacks.
Step 1: Create a New Policy File
For this tutorial, we will scaffold off the default policy:
Specify (and make a note of) the filepath you would like the policy to be saved once created.
Step 2: Edit the Policy Definition
Open your newly created policy file using a text editor. Add the following directives to your policy file:
setAttribute is the actual method signature of the sanitization function.
The final line of the example shown above instructs NG SAST to add a
check tag to all data flows that contain a function matching the method signature defined with the
Step 3: Validate the New Policy
After you write new policy definitions or editing the existing definitions, you must validate your new policy to make sure that there are no errors. To do so, run:
This command returns a non-zero exit status code if there is a problem with either the syntax or the semantics of your policy.
Step 4: Upload the Policy to the ShiftLeft Repository
NG SAST can only use a custom policy if it is located in the ShiftLeft repository. To upload your policy, run:
Be sure to replace
<policyLabel> with the desired name for your policy.
If you successfully upload your policy, ShiftLeft returns to the CLI your Org ID policy and tag:
<policyTag> is the tag ShiftLeft assigned to the policy by default.
You can check for this policy in the repository by using the info command, which lists all policies uploaded with the specified label that is available to you:
Step 5: Assign the New Policy
Assigning the policy to your application ensures that NG SAST uses it the next time it analyzes the app's code:
At this point, you are ready to proceed with your next code analysis.