CUSTOMER PROBLEM

In order to segment groups of policy violations and route alerts to multiple stakeholders, many integrations and many policies must be created. For example, if a single policy has different groups whose area of responsibility are different scopes, a policy and integration combo must be created for each unique scope/recipient combination.

Say the policy "90-Day Image Age" is applicable to teams A, B, C, and D, and each of those teams has a dedicated Slack channel for handling alerts. In order to achieve this in ACS, the original "90-Day Image Age" policy must be cloned four times, and a separate set of inclusions/exclusions applied to each one. In addition, four notifiers, (each for a different Slack channel) must be created and attached to the appropriate policy.

The need for the number of distinct policies and integrations scales with the number of unique groups that the policy affects, and leads to duplication and out-of-sync issues with the policy criteria.

PROPOSED SOLUTION

A policy will have the ability to apply pre-filters, or "buckets" to alerts that are applied after the policy is triggered/enforced, but before the violation data is sent to a notifier. This will allow a single set of policy criteria to be segmented by scope to avoid duplication and allow granular notification to different user groups.

The buckets can be created using appropriate ACS search filters.

The buckets can also have policy criteria attached that fall outside the ACS search filters, in order to have more control over false positives. Example: the "Environment Variable Contains Secret" policy violates when an env var contains `.SECRET.`, but we can exclude notifications to a specific notifier when the workload in violation is part of the `stackrox` namespace and the secret itself matches on key `TLS-SECRET`.