Introduction

Introduced as part of our CI/CD Policies page, Pass Criteria allow you to evaluate applications based on the amount of vulnerabilities of a severity they have, or the amount of vulnerabilities of a severity introduced since a point in time.  These are primarily meant to be used with the Evaluate CI/CD Pass Criteria REST call, which you can find here: Evaluate CI/CD Pass Criteria - API

Creating Pass Criteria

When you create a new set of Pass Criteria, you will see a modal like this appear:

You must select a value for either Not Allowed or Not Introduced, but one of the two can be left blank. In the pictured example, an application would be considered "Failing" if it ever had any Critical severity Vulnerabilities, or if it had any Critical severity Vulnerabilities introduced over the evaluation period (which is specified in the REST call).

Managing Applications

After you have created Pass Criteria, you can click Manage Applications next to them to attach Applications and view their evaluation status.

After you have added Applications, you can run the REST call to evaluate their status (Evaluate CI/CD Pass Criteria - API).  If you open the Manage Applications modal for the Pass Criteria you can see the status of the evaluation, and if you hover your mouse cursor over the status you will see what the Pass Criteria rules were at the time of evaluation.  This way you can know why an application passed or failed even if you edit the rules of the Pass Criteria.

Evaluation Automation

To get the most use out of Pass Criteria, you will likely want to have automated processes run evaluations on your applications and return information based on the results.  Aside from our REST calls you may use to manage CI/CD Pass Criteria, you can also use the ThreadFix Jenkins Plugin (Jenkins Plugin).  Reach out to your ThreadFix contact to learn how to obtain this plugin.