Support
Report Policies

Custom Report Policies

This document is for:
Invicti Standard, Invicti Enterprise On-Premises, Invicti Enterprise On-Demand

Custom report policies enable you to create report policies that suit your requirements. Another option is to clone an existing report policy and modify it based on your needs.

This article explains how to create and configure custom report policies. For further information about report policies, refer to Overview of Report Policies.

With custom report policies you can do the following:

  • Edit the report policies based on your requirements.
  • Change vulnerability details, impact, remedy information, etc. in addition to the severity level, the visibility, and the classification properties of a vulnerability.
  • Configure settings, including how the web security scanner displays its findings in the Invicti application and in reports.

TIP: If you want to enable or disable specific security checks in the actual scan itself, you should configure a Scan Policy instead.

Configuring report policies in Invicti Enterprise

There are two steps involved in configuring custom report policies. First, you need to create a report policy, then the second step is to customize it. Follow the instructions below to create and configure a new custom report policy.

How to create a new report policy in Invicti Enterprise

  1. Log in to Invicti Enterprise.
  2. From the main menu, select Policies > New Report Policy.
  3. In the Name field, enter a name for your report policy.
  4. In the Description field, enter a description for your report policy.
  5. Click the checkbox to enable the Shared function if you want to share your report policy with other team members.
  1. If you enabled the shared function, add the website group(s) you want to share your report policy with. The team members who have permission to scan the selected website groups will also be able to use this report policy.
  1. Click Save.

How to customize a report policy in Invicti Enterprise

  1. Log in to Invicti Enterprise.
  2. From the main menu, select Policies > Report Policies.
  3. From the Report Policies page, select the name of the report policy you want to customize.
  4. Select the Editor tab. The full list of vulnerabilities is displayed.
  5. In the vulnerabilities library list, use the checkboxes to select the vulnerabilities you want to include in your report policy. You can also search for a specific vulnerability.

  1. To change the severity level of a vulnerability, select the vulnerability from the vulnerabilities library list on the left, then use the drop-down menu to select a different severity level.

  1. To edit the details of a vulnerablity, click the checkbox next to the section you want to edit, then make your changes and click Save. 

  1. To add a new vulnerability to the report policy, select New in the Actions section. The Vulnerability Editor is displayed. Fill in the fields as required and select Save. For more information about the Vulnerability Editor fields, refer to Editing vulnerabilities and assigning security standards in Invicti Enterprise.

  1. To clone a selected vulnerability to the report policy, select Clone in the Actions section. The Clone Vulnerability dialog is displayed. From the Type drop-down, select the vulnerability type and click Save.

  1. To edit a selected vulnerability in the report policy, select Edit in the Actions section. The Vulnerability Editor dialog is displayed for the selected vulnerability. Change as required and select Save.

Setting a default report policy

You can set one of your report policies as the default in Invicti Enterprise, so that you or your team members can attach this default report policy to a scan easily. If required, you can attach a report policy other than the default to a scan while launching a security scan.

  • You can select a default report policy from your shared report policies.  
  • You can edit your default policy but cannot set it as private or delete it. To delete, first, you must remove its default status from that report policy.
  • You can continue using the default report policy even if a user that created the policy is no longer a part of your team or company.
  • This feature is only available in Invicti Enterprise On-Demand.

For further information about configuring report policies, refer to Configuring report policies in Invicti Enterprise.

How to set a report policy as the default

  1. Log in to Invicti Enterprise.
  2. From the main menu, select Settings > General.
  3. Scroll down to the Default Policies section. Use the Default Report Policy drop-down menu to select the report policy you want. Then click Save.

The report policy you selected appears as the default on the Report Policies page.

Configuring report policies in Invicti Standard

How to create a custom report policy in Invicti Standard

  1. From the ribbon, select the Home tab, then Report Policy Editor. The Report Policy Editor dialog is displayed. This consists of a Report Policy list, a vulnerabilities library list (with the full list of vulnerabilities that Invicti scans for) and individual vulnerability details.
  2. In the Report Policy Editor, select New. At the top of the Report Policy list, a new Report Policy is displayed.
  3. Click on the new Report Policy to rename it.
  4. In the vulnerabilities library list, browse through it and use the checkboxes to select or deselect those you want to include or exclude from your Scan Report. You can also use the input field at the top to search for a specific vulnerability.
  5. For each vulnerability, use the dropdown to change the Severity Level of each vulnerability, if required.
  6. To add a new vulnerability to the Report Policy, select New in vulnerabilities library list. The Vulnerability Editor dialog is displayed.

Fill in the fields as required and select OK.

  1. To clone a selected vulnerability to the Report Policy, select Clone in the vulnerabilities library list. The Clone Vulnerability dialog is displayed.

From the Type dropdown, select the vulnerability type and select OK.

  1. To edit a selected vulnerability in the Report Policy, select Edit in the vulnerabilities library list. The Vulnerability Editor dialog is displayed. Change as required and select OK.
  2. To delete a selected vulnerability in the Report Policy, select Delete.
  3. To overwrite CVSS environmental matrices in all vulnerabilities, select Set Metrics. The Environmental Metrics dialog is displayed.

Select the dropdown options from the fields as required. Select OK.

  1. On the Report Policy Editor, select OK.

Cloning default report policies

How to clone the default report policy in Invicti Enterprise

  1. From the main menu, select Policies > Report Policies.
  2. Next to the relevant policy, click Clone. The New Report Policy tab is displayed.
  3. Complete the fields as described above in Configuring report policies in Invicti Enterprise.

How to clone the default report policy in Invicti Standard

  1. From the ribbon, select Home, then Report Policy Editor.
  2. Select the relevant policy and click Clone. A cloned version of the relevant policy is displayed with ‘Copy’ after its name.
  3. Edit the cloned copy as described from step 3 of How to create a custom report policy in Invicti Standard.

Using custom report policies in scans

How to use a custom report policy in a scan in Invicti Enterprise

Once you have created a custom report policy, you can use it when creating a new scan, new scheduled scan, or new group scan.

  1. Log in to Invicti Enterprise.
  2. From the main menu, select Scans > New Scan.
  3. From the Report Policy drop-down, select your custom report policy.

  1. Complete the remaining fields as described in Creating a New Scan.
  2. Select Launch.

How to use a custom report policy in a scan in Invicti Standard

  1. Open Invicti Standard.
  2. From the ribbon, select Home > New. The Start a New Website or Web Service dialog is displayed.
  3. From the Report Policy drop-down, select your Custom Report Policy.
  4. Complete the remaining fields as described in Creating a New Scan.
  5. Select Start Scan.

Custom Report Policies FAQ

Question: When I change the severity level of a vulnerability, does this affect the previous scan's reports?

  • No, it does not. When you edit a report policy, you need to rerun the scan with the edited report policy; so you can have your new report based on the latest changes.