Skip to main content

Create OWASP top 10 only rules policy

Create an OWASP top 10 policy to focus the analysis of your source code on OWASP top 10 based findings only. When you save the policy to the root of a repo or directory you wish to scan, it disables all rules except for rules specifically linked to the OWASP top 10 list.

Best practice: Use this policy on new Scan projects only. If you use the policy on an existing project, Contrast Scan might mark some existing findings as Remediated and therefore, may show significant changes to open vulnerabilities.

View scan details describes how to see which files and rules are excluded for a specific scan.

Steps

Create a text file named contrastsec.checks.config and place it at the root of the project you are going to scan.
Copy the code in OWASP 10 rules only and add it to the file.
Run the scan.

See also

Create custom Scan rule exclusions shows an example of how to significantly change the rules a scan uses. Doing so lowers the noise and potential for false positives that can occur with the larger rules base.

In this section:

Was this helpful?

Would you like to provide feedback? Just click here to suggest edits.