Merge pull request #9207 from harness/STO-8477

STO: Document STO Policy Sample - Block Based on External Policy Failures

Author: priteshchandaliya

docs/security-testing-orchestration/sto-techref-category/anchore-enterprise-scanner-reference.md

@@ -20,7 +20,7 @@ You can scan your container images with [Anchore Enterprise](https://docs.anchor
 
 - You must use the Anchore v2 API and Anchore Enterprise Server v5.0 or higher to run orchestration and extraction scans.
 
-- When you're deploying an Anchore Enterprise server, expose port 8228. This is the port that Harness uses to communicate with the server.
+When you deploy an Anchore Enterprise server, expose port 8228. Harness uses this port to communicate with the server.
 
 ### All data ingestion methods are supported
 
@@ -229,7 +229,7 @@ import ScannerRefAdvancedSettings from './shared/_advanced-settings.md';
 <ScannerRefAdvancedSettings />
 
 ## View Anchore policy failures
-Anchore policy failures will appear in scan results as `Info` severity issues, with the issue type set to `EXTERNAL_POLICY`. Successfully passed policies will not be included in the scan results.  Additionally, you can apply [OPA policies](/docs/security-testing-orchestration/policies/create-opa-policies) in Harness STO to enforce or manage the policy failures.
+Anchore policy failures will appear in scan results as `Info` severity issues, with the issue type set to `EXTERNAL_POLICY`. Successfully passed policies will not be included in the scan results.  Additionally, you can apply an OPA policy to fail the pipeline based on the policy failures. This can be achieved using the [Security Tests - External Policy Failures](/docs/security-testing-orchestration/policies/create-opa-policies.md#block-the-pipeline-based-on-external-policy-failures) policy from the [security tests policy samples](/docs/security-testing-orchestration/policies/create-opa-policies.md#security-test-policy-samples).
 
 ## Proxy settings
 

docs/security-testing-orchestration/sto-techref-category/shared/_wiz-policy-failure-results.md

@@ -0,0 +1 @@
+The Wiz policy failure results appear in the scan results as an `Info` level issue, categorized as `External Policy` Issue Type. Additionally, you can apply an OPA policy to fail the pipeline based on the policy failures. This can be achieved using the [Security Tests - External Policy Failures](/docs/security-testing-orchestration/policies/create-opa-policies.md#block-the-pipeline-based-on-external-policy-failures) policy from the [security tests policy samples](/docs/security-testing-orchestration/policies/create-opa-policies.md#security-test-policy-samples).

docs/security-testing-orchestration/sto-techref-category/shared/wiz-policy-failure-results.md

@@ -344,7 +344,7 @@ You can use [Harness expressions](https://developer.harness.io/docs/platform/var
 This setup ensures that the scan result name reflects both the branch and the PR, making it easier to identify and manage scan results in the SonarQube portal.
 
 ## View SonarQube quality gate failures
-SonarQube quality gate failures will appear in scan results as 'Info' severity issues, with the issue type set to `EXTERNAL_POLICY`. Additionally, you can apply OPA policies in Harness STO to enforce or manage these failures.
+SonarQube quality gate failures will appear in scan results as 'Info' severity issues, with the issue type set to `EXTERNAL_POLICY`. Additionally, you can apply an OPA policy to fail the pipeline based on the quality gate failures. This can be achieved using the [Security Tests - External Policy Failures](/docs/security-testing-orchestration/policies/create-opa-policies.md#block-the-pipeline-based-on-external-policy-failures) policy from the [security tests policy samples](/docs/security-testing-orchestration/policies/create-opa-policies.md#security-test-policy-samples).
 
 To retrieve quality gate failure data from SonarQube, ensure the access token used in the SonarQube step configuration has **Browse Project** or **Administer** [permissions](https://docs.sonarsource.com/sonarqube/latest/instance-administration/user-management/user-permissions/) for the project being scanned.
 

docs/security-testing-orchestration/sto-techref-category/sonarqube-sonar-scanner-reference.md

@@ -394,7 +394,7 @@ import ScannerRefAdvancedSettings from '../shared/_advanced-settings.md';
 
 ## View Wiz policy failures
 
-import WizPolicyFailureResults from '../shared/_wiz-policy-failure-results.md';
+import WizPolicyFailureResults from '../shared/wiz-policy-failure-results.md';
 
 <WizPolicyFailureResults />
 

docs/security-testing-orchestration/sto-techref-category/wiz/artifact-scans-with-wiz.md

@@ -268,7 +268,7 @@ import ScannerRefAdvancedSettings from '../shared/_advanced-settings.md';
 
 ## View Wiz policy failures
 
-import WizPolicyFailureResults from '../shared/_wiz-policy-failure-results.md';
+import WizPolicyFailureResults from '../shared/wiz-policy-failure-results.md';
 
 <WizPolicyFailureResults />
 

docs/security-testing-orchestration/sto-techref-category/wiz/iac-scans-with-wiz.md

@@ -313,7 +313,7 @@ import ScannerRefAdvancedSettings from '../shared/_advanced-settings.md';
 
 ## View Wiz policy failures
 
-import WizPolicyFailureResults from '../shared/_wiz-policy-failure-results.md';
+import WizPolicyFailureResults from '../shared/wiz-policy-failure-results.md';
 
 <WizPolicyFailureResults />
 

docs/security-testing-orchestration/sto-techref-category/wiz/repo-scans-with-wiz.md

@@ -18,6 +18,7 @@ The Harness Policy Library includes the following [policy samples](/docs/platfor
 - [Exclude vulnerabilities by CVE age](#exclude-vulnerabilities-by-cve-age)
 - [Exclude vulnerabilities using STO output variables](#exclude-vulnerabilities-using-sto-output-variables)
 - [Block the pipeline based on the code coverage results](#block-the-pipeline-based-on-the-code-coverage-results)
+- [Block the pipeline based on external policy failures](#block-the-pipeline-based-on-external-policy-failures)
 
 <!-- TOC end -->
 
@@ -243,4 +244,28 @@ deny_list :=([
 #    "name": "HIGH", "value": 0, "operator": ">"
 #  }
 ])
+```
+
+#### Block the pipeline based on external policy failures
+
+Apply a policy to the scan step to either warn or block the pipeline based on the external policy failures. You can use the sample policy **Security Tests - External Policy Failures**. Below is a sample policy for reference:
+
+```
+package securityTests
+
+import future.keywords.in
+import future.keywords.if
+
+# Define a set of Output Variables that are denied
+deny_list :=([
+# Fail if EXTERNAL_POLICY_FAILURES count is greater than 0
+  {
+    "name": "EXTERNAL_POLICY_FAILURES", "value": 0, "operator": ">"
+  },
+# Optionally define more Output Variables here
+#  {
+#    "name": "HIGH", "value": 0, "operator": ">"
+#  }
+])
+
 ```