Skip to content

Rule engine

Sometimes the result of a scanner doesn't fit to the product's needs. Either the severity or the status need to be adjusted. To avoid having to do many manual assessments regularly, a built-in rule engine can adjust severity and/or status directly with the import of observations.

This can remove a lot of noise, for example by setting observations to False positive, in case the ruleset of the scanner can not be adjusted appropriately.


Rules can be managed in two ways:

  • General rules will be applied for all products. A product can be excluded from general rules in its settings.
  • Product Rules are only valid for one product.

These fields are used to decide if a rule shall be applied for an observation:

  • Parser (mandatory): The observation has been imported with this parser.
  • Scanner prefix (optional): The observation has been generated by a scanner which name starts with this prefix. A prefix is used here because the scanner field in the observation often contains the version of the scanner as well, which is typically irrelevant for the rule.
  • Observation title (optional): Regular expression to match the observation's title
  • Origin component name:version (optional): Regular expression to match the component name:version
  • Origin docker image name:tag (optional): Regular expression to match the docker image name:tag
  • Origin endpoint URL (optional): Regular expression to match the endpoint URL
  • Origin service name (optional): Regular expression to match the service name
  • Origin source file (optional): Regular expression to match the source file

If an observation matches all fields containing a value, than the new severity and/or new status is set in the observation and a comment is stored in the Observation Log.