Policy Violation Grandfathering
The Policy Violation Grandfathering feature allows some policy violations to be "grandfathered" to streamline the process of onboarding new applications with existing policy violations. When enabled for an application or an application's parent organization, eligible policy violations will be marked as grandfathered on the first evaluation of an application. Grandfathered policy violations will not be treated as active violations, and Lifecycle will not take policy actions against them. If desired, these grandfathered policy violations can also be revoked to return to normal policy violation behavior.
What is Grandfathering?
This Lifecycle feature lets you acknowledge existing issues found in newly onboarded applications. The main objective of grandfathering is to provide an easier route to automated enforcement, which is difficult to achieve if there’s a large backlog of existing issues. When grandfathering is enabled, existing violations won’t cause a policy action, but if a new violation is introduced the policy action is still applied.
Here’s an example of how new application onboarding might work with grandfathering enabled:
- A policy administrator configures policies with a build action of fail and enables grandfathering at the root organization level.
- An application is scanned for the first time, showing components A and B, revealing violations A2 and B2. Since grandfathering is enabled, these violations are automatically deferred. No policy action is taken during this first scan, allowing the build to pass.
- Component C is added later, and that shows new violations and fails the build.
In the above example, the first evaluation is used to assess an application. Although there are violations, they represent existing risks and are marked as grandfathered. The build continues to pass with these violations until the new component is added revealing new violations that fail the build.
By default, Grandfathering does not defer violations of severity 9 or 10 because these violations represent significant risks.
Configuring Policy Violation Grandfathering on Organizations and Applications
By default, policy violation grandfathering is disabled on the Root Organization, and this setting is inherited by all child organizations and applications. However, the default Policy Violation Grandfathering configuration for the Root Organization also permits overrides by child organizations and applications, so this setting can be overridden. You can enable or disable Policy Violation Grandfathering for an organization or an application if there are no inherited restrictions on overriding the setting.
To enable or disable Policy Violation Grandfathering for an application or organization:
- Click the Organization & Policies icon on the Lifecycle toolbar.
- Select the organization or application that you wish to edit from the sidebar.
- Scroll down to the Policies section and locate the text describing the current configuration under Policy Violation Grandfathering.
- Click the chevron next to the description to pull up the edit screen shown below.
The options will vary slightly depending on whether you are editing the Root Organization, a child organization, or an application.
- For the Root Organization, you can select whether or not Policy Violation Grandfathering is enabled or disabled, and whether or not child organizations and applications can override this setting.
- For child organizations, you can select whether or not Policy Violation Grandfathering is enabled, disabled, or inherited from the parent, as well as whether or not applications can override this setting.
- For applications, you can select whether or not Policy Violation Grandfathering is enabled or disabled.
If a parent organization has disabled overrides then the settings from that parent will be inherited and the user interface for editing the configuration will be disabled with a message indicating the reason.
Configuring Policy Violation Grandfathering on Policies
You will also need to enable or disable grandfathering on individual policies. To do so, follow the directions in Configuring Policies for editing a policy. Once editing the policy, locate the Policy Violation Grandfathering section on the edit screen. Select or unselect the Allow this policy to be grandfathered checkbox.
For new installs, policy violation grandfathering is enabled in the reference policies for threat levels less than or equal to 8.
For any policy violations to be grandfathered, Policy Violation Grandfathering must also be enabled by configuring the application or parent organization.
Viewing Grandfathered Policy Violations
Information regarding grandfathered policy violations is displayed in several locations within Nexus Lifecycle.
Application Composition Report
The number of grandfathered policy violations will be displayed in the Application Composition Report.
Individual grandfathered policy violations are also displayed on the Policy Violations table when reviewing a report. The Grandfathered filter can be used to limit results to grandfathered policy violations. Be aware that grandfathered policy violations are not displayed when the report's Aggregated view is enabled (the default), so aggregation should be disabled when attempting to view the grandfathered violations.
Grandfathered policy violations can also be viewed using the filters on the Dashboard. Select the Violation State filter in the sidebar and select the Grandfathered checkbox to include grandfathered policy violations in dashboard results.
The number of grandfathered policy violations appears in the PDF Report under the Scope of Analysis section.
Notification emails also contain the number of grandfathered policy violations.
Grandfather Policy Violations
Existing policy violations can be grandfathered at the application level. Subsequent evaluations will treat these policy violations as grandfathered, but this action does not perform a new evaluation. This action will only be available if grandfathering is enabled or inherited for the application.
To grandfather existing policy violations for an application:
- Click the Organization & Policies icon on the Lifecycle toolbar.
- Select the application from the sidebar.
- Click the Grandfather <application name> item in the Actions menu.
A modal dialog will ask you to confirm the action before proceeding.
Revoking Policy Violation Grandfathering
Applications that have been grandfathered can be revoked to a non-grandfathered state. Subsequent scans and re-evaluations will include these policy violations if applicable, but existing reports will not change.
To revoke policy violation grandfathering for an application:
- Click Orgs and Policies on the left sidebar.
- Select the application.
- Click the Actions menu in the top right and select Revoke All Grandfathered.
- Click Revoke in the dialog box.