Try JFrog
Guides
Contact SupportTry JFrog
  1. AppTrust
  2. Policies & Evaluations

Evaluations

If you have policies applied to the gates at a lifecycle stage, the policy evaluations are triggered when you initiate a promotion.

Evaluation Example

You have an exit gate (Exit | QA) on the QA stage of your software development lifecycle, and the gate applies a policy with the rule: Critical CVE with CVSS score between 9.0 and 10.0.

When you initiate a promotion of the application version from QA to another stage, an evaluation of this rule will take place. This means that AppTrust will look for evidence that the version is compliant and compare the details of the evidence to the requirements of the policy.

  • If the version is compliant, the outcome of the evaluation is Pass, and the version can advance to the next stage.
  • If the version violates a rule, the outcome is Fail or Warning, and an issue is triggered. In this particular example, an issue would be triggered when an application resource (such as a Docker image) contains a package or component affected by a CVE with a CVSS score in the Critical range (9.0–10.0).

Evaluation Decisions

Each evaluation can include multiple policies at a stage gate and produces an overall decision, calculated across applicable policies. For example, a stage gate might have the following policies applied:

  • No Critical CVEs detected
  • All QA tests passed
  • SLSA provenance required

The evaluation will evaluate all of the policies for the promotion to succeed.

A decision can be:

  • Pass: All policies are satisfied. The version may advance to the next stage.
  • Fail: Blocking policy violations are detected. The version cannot advance.
  • Warning: An issue is triggered, but the version may advance.
  • Error: A technical error prevented the evaluation from completing. The version cannot advance.

Evaluation Information

AppTrust provides the following information about the evaluations made:

What’s Next?

Learn more about Application Evaluations.