Managing vulnerability policies

Vulnerability policies are managed under Policy Management > Vulnerability Policies. The required permission is POLICY_MANAGEMENT, or one of the finer-grained POLICY_MANAGEMENT_CREATE, POLICY_MANAGEMENT_READ, POLICY_MANAGEMENT_UPDATE, POLICY_MANAGEMENT_DELETE.

For background on what vulnerability policies are and how they work, see the concepts page. For field definitions and the bundle YAML schema, see the reference page.

Creating a Policy

1. Click Create Policy to open the editor.
2. On the General tab, provide a name, optional description and author, an operation mode, and a priority between 0 and 100. Higher values are evaluated first. Optionally set a validity window.
3. On the Condition tab, write a CEL expression. The editor offers autocompletion for the available variables and functions, and a template dropdown with common patterns.
4. On the Analysis tab, pick the state and any additional analysis fields to apply when the policy matches.
5. On the Ratings tab, optionally add up to three rating overrides.
6. Click Create.

Editing and Deleting

User-managed policies can be edited or deleted from the list view. Bundle-managed policies appear read-only and must be changed at the bundle source.

Configuring the Bundle Source

Configure the bundle URL and (optionally) credentials on the API server. Refer to the bundle configuration properties for the full list.

Once the URL is configured, Dependency-Track fetches the bundle on the configured schedule. A bundle whose digest matches the last successful sync is skipped. An administrator may also trigger an immediate sync from Policy Management > Vulnerability Policies > Bundles > Sync.