Issue Policies

  • Updated on Mar 26, 2025
  • Published on May 1, 2024
  • 6 minute(s) read

Issue Policies help you identify API endpoints that violate security policies. Traceable provides you with certain predefined vulnerability and compliance policies that you can customize to make them relevant to your organization. You can also define custom policies to identify these violations based on various attributes, such as the environment the API is present in, its vulnerability type, data sensitivity, and so on. You can also enable or disable these policies according to your requirements.

Issue Policies

Issue Policies

Policy Categorization

The issue policies are separated into the following categories:

Category

Description

Traceable Vulnerabilities

This category lists the OWASP API Top 10 and Traceable recommended policies to identify vulnerabilities from Live Traffic across API endpoints.

Traceable Compliance

This category lists Traceable's out-of-the-box compliance policies. These policies help identify some of the most common violations across API endpoints.

PCI DSS

This category lists Traceable's policies for identifying PCI DSS data across API endpoints.

Custom

This category lists the policies you create using various attributes according to your requirements.

For more information on the above policies, see Policy View and Policy Configuration.

How to Navigate the Page?

You can access the Issue Policies page through CatalogSettings Issue Policies.

Where are the Identified Issues Listed?

While the Issue Policies page lists the policies, the identified violations are listed in API CatalogIssues. On the Issues page, you can view the details about the violations and the API endpoints in which they were identified. For more information on how to navigate through these violations, see Issues.

Traceable also auto-resolves an issue by default, depending on the issue’s source. For more information, see Issues Resolution.

Note

The compliance policies only help in identifying violations across discovered API endpoints. Based on the details about these violations, you can also choose to create custom policies under API Protection. These policies help protect your APIs according to the settings you configure. For more information on how to create these policies, see Custom Policy.

Policy View

Traceable shows the following information for each category mentioned above:

Policy View

Column

Description

Control Name

The policy name, for example, API Param Contains URL. Traceable uses this policy name as the Issue Name on the Issues page.

Severity

The severity of the issue detected as part of this policy. For example, the issue having the name API Param Contains URL will have Medium severity.

Environments

The environment(s) in which the policy is applicable. By default, a policy applies to All Environments; however, you can edit this according to your requirements. For more information, see the Policy Configuration section below.

Status

The policy's status: enabled or disabled. While the policies are enabled (Traceable recommended) by default, you can click the toggle corresponding to a row to disable them according to your requirements.

Actions

The functions you can perform on the policies. You can Edit the policy configuration, and Clone the policy (for Custom policies only) according to your requirements. For more information, see the Policy Configuration section below.

Policy Configuration

This section discusses the out-of-the-box and custom policies and the steps to configure and edit them. For more information, see the tabs below to see what you require.

Traceable, by default, provides you with some policies on the Issue Policies page. These policies are listed under the Traceable Compliance, PCI DSS, and Traceable Vulnerabilities tabs. Traceable recommends enabling these policies to help identify some of the most common violations and PCI DSS data across API endpoints.

Traceable also allows you to perform the following actions on a policy. To perform these actions, click the Ellipse () icon corresponding to a policy.

  • View a policy and its configuration.

  • Edit a policy configuration. For the steps to perform this, see the below section.

Edit Policy

To edit a policy configuration, click the Ellipse () icon → Edit corresponding to a policy, and complete the following steps:

Step 1 — Scope

  1. Select the Environment(s) where you wish to apply the policy.

  2. Define the policy scope by configuring the condition groups. You can add one or more condition groups according to your requirements:

    1. Select how Traceable should match the condition groups:

      • Match All — Traceable performs an AND operation between the condition groups, if selected.

      • Match Any — Traceable performs an OR operation between the condition groups, if selected.

    2. Click + Condition Group and complete the following steps:

      1. Select how Traceable should match the conditions, Match All or Match Any.

      2. Click + Add Condition.

      3. Select the Attribute for which you wish to apply the condition.

      4. Select the Operator corresponding to the attribute.

      5. Select the Value(s) corresponding to the attribute and operator.

      6. (Optional) Click + corresponding to a condition to add more according to your requirements.

    3. (Optional) Repeat the above step to add more condition groups.

  3. Click Next.

Step 2 — Parameters

Select the Attribute, and its corresponding Operator, and specify the Value based on which Traceable should detect issues for the policy. Further, click Next.

Step 3 — Severity Conditions

Select the Severity that Traceable should assign to the issues detected using the policy, and click Save.

You can create custom policies by selecting various attributes according to your requirements. Traceable uses these policies, identifies their corresponding violations, and lists them on the Issues page for you to take action.

Note

  • Each custom policy should have a unique name.

  • Custom policies may take up to 24 hours to generate Issues post-creation.

Creating a Custom Policy

To create a custom policy, in the page’s top right corner, click + Custom Policy, and complete the following steps:

Step 1 — Scope

  1. Specify the policy Name. For example, API endpoint contains critical data.
    Traceable uses this policy name as the Issue Name on the Issues page.

    Note

    You cannot edit the name post-policy creation.

  2. Specify a Description for the policy.

  3. From the Category drop-down list, select the category to which the detected violation should belong or specify a category name and click on Create new Category “<Category Name>”, for example, Production.

  4. From the Environment drop-down list, select the environment(s) in which the policy should apply. By default, Traceable selects All Environments.

  5. Define the policy Scope by configuring the condition groups. You can add one or more condition groups according to your requirements:

    1. Select how Traceable should match the condition groups:

      • Match All — Traceable performs an AND operation between the condition groups if selected.

      • Match Any — Traceable performs an OR operation between the condition groups if selected.

    2. Click + Condition Group and complete the following steps:

      1. Select how Traceable should match the conditions, Match All or Match Any.

      2. Click + Add Condition.

      3. Select the Attribute for which you wish to apply the condition.

      4. Select the Operator corresponding to the attribute.

      5. Select the Value(s) corresponding to the attribute and operator.

      6. (Optional) Click + corresponding to a condition to add more according to your requirements.

    3. (Optional) Repeat the above step to add more condition groups.

  6. Click Next.

Step 2 — Detection Conditions

  1. In the API Attribute section, click + Add condition and select the attribute according to your requirements. For example, Endpoint Name is equal to (=) GET /userinfo/json.

  2. In the Vulnerability Attribute section, click + Add condition and select the attribute according to your requirements. For example, Vulnerability Status is (IN) either Open or Under review.

  3. In the Datatypes section, click + Add condition and select the attributes according to your requirements. For example, Request & Response of the API endpoint contains either (Contains any of) the Credit Card PIN, username, and password data types.

  4. In the Datasets section, click + Add condition and select the attributes according to your requirements. For example, Response of the API endpoint does not contain either (Contains any of) the Generic Personal Info or PII UK data sets.

  5. In the Data Sensitivity section, click + Add condition and select the attributes according to your requirements. For example, the Request data of an API endpoint is highly (High) sensitive.

  6. Click Next.

    Note

    Traceable carries out an AND operation between the conditions defined above.

Step 3 — Severity Conditions

Select the Severity that Traceable should assign to the issues detected using the policy, and click Submit.

Custom Policy Actions

You can perform the following actions on the policies by clicking on the Ellipse () icon corresponding to a row:

  • View a policy to identify the attributes that Traceable uses to identify violations.

  • Edit a policy to add or remove any attributes according to your requirements.

  • Clone and edit a policy to add or remove any attributes according to your requirements. While cloning a policy, you can also select if you wish to edit the cloned policy directly. Upon selection, Traceable automatically opens the policy configuration for modifications.

  • Delete a policy.

    Note

    A deleted policy cannot be restored.

Related articles