Support
Report Policies

Overview of Report Policies

This document is for:
Invicti Standard, Invicti Enterprise On-Premises, Invicti Enterprise On-Demand

A report policy is a list of reporting settings for web security scan results and reports.

This article explains how to view report policies in Invicti Enterprise and Invicti Standard.

Overview of Report Policies

When you run a scan, you attach a report policy to it. While the scan policy affects which checks Invicti will run, the report policy affects your result report. For example, if you changed the severity level of the SQL Injection to the Best Practice severity level, you may miss a critical security issue in your web application.

With a report policy, you can do the following:

  • Specify which detected vulnerabilities Invicti should report in the Scan Results.
  • Change the Severity level, the visibility, and the classification properties of a vulnerability.

A Custom Report Policy enables you to configure these settings, including how the web security scanner displays its findings in the Invicti application and in reports. (If you want to enable or disable specific security checks in the actual scan itself, you should configure a Scan Policy instead.)

While you can create your own report policy in line with your requirements, you can also rely on Invicti's Built-in Report Policy. It is read-only and provides the settings for your custom Report Policies. You can clone existing Report Policies or create new ones, and then the new custom report policy is modified to suit your requirements.

For creating your own report policy, refer to Custom Report Policies.

IMPORTANT: When you exclude the SQL Injection vulnerability from a Report Policy and run a report, the scanner will still check if the target web application is vulnerable to this vulnerability. However, if it detects one, it won’t report it in the scan results. With the Report Policy, the SQL Injection is only hidden.

If you later generate a report from the same scan with the Built-in Report Policy, in which the SQL Injection vulnerability is included, the identified SQL Injection vulnerability will be listed in the report.

Report Policies Fields

This table lists and explains the fields in the New Report Policy window in Invicti Enterprise.

Button/Section/Field

Description

Name

Enter a name for the Report Policy.

Description

Enter a simple description that will help you remember what it is for.

Shared

Select this checkbox to share your Report Policy with other team members.

How to view report policies in Invicti Enterprise

  1. Log in to Invicti Enterprise.
  2. From the main menu, select Policies > Report Policies.

From this page, you can view, clone, edit, delete, or export to CSV any listed policy. Admin users with permission can manage their team member's Report Policies. This means that if a Report Policy is private but belongs to your team member, you can still view, edit, delete and clone that policy.

How to view report policies in Invicti Standard

  1. Open Invicti Standard.
  2. From the Home tab, select Report Policy Editor.

From this window, you can view, clone, edit or delete any listed policy, or add a new one.