Custom Report Policies

You can create your own custom policy that suits your requirements. Or, you can clone an existing report policy and modify it based on your needs. 

With your custom policy, you can do the following:

• Edit the report policies based on your requirements.
• Change vulnerability details, impact, remedy information, etc. in addition to the severity level, the visibility, and the classification properties of a vulnerability.

A Custom Report Policy enables you to configure these settings, including how the web security scanner displays its findings in the Invicti application and in reports. (If you want to enable or disable specific security checks in the actual scan itself, you should configure a Scan Policy instead.)

For further information about the report policy, see Overview of Report Policies.

Configuring Report Policy in Invicti Enterprise

You can configure your custom policy in two steps. First, you need to create a report policy; then you need to customize it.

How to Create a New Report Policy in Invicti Enterprise

1. Log in to Invicti Enterprise. 
2. From the main menu, select Policies > New Report Policy. 

2. In the Name field, enter a name for your report policy.
3. In the Description field, enter a description for your report policy.
4. Enable the Shared field, if required.

• If enabled, you can share the policy with the website group(s) you choose. The team members who have permission to scan the selected website groups will also be able to use this Report Policy.

5. Select Save.

How to Create a Custom Report Policy in Invicti Enterprise

1. Log in to Invicti Enterprise.
2. From the main menu, select Policies > Report Policies.
3. From the Report Policies page, select the name of the Report Policy you want to customize. 
4. Select the Editor tab. The full list of vulnerabilities is displayed.

5. In the vulnerabilities library list, check those you want to include in your Scan Report. You can also use the input field at the top to search for a specific vulnerability.
6. For each vulnerability, use the drop-down to change the Severity Level of each vulnerability, if required.
7. For each vulnerability, turn on the toggle to edit the vulnerability details, if required. Turn off the toggle to save the changes.

8. To add a new vulnerability to the Report Policy, select New in the vulnerabilities library list. The Vulnerability Editor is displayed. Fill in the fields as required and select Save.
9. To clone a selected vulnerability to the Report Policy, select Clone in the vulnerabilities library list. The Clone Vulnerability dialog is displayed. From the Type drop-down, select the vulnerability type and select Save.
10. To edit a selected vulnerability in the Report policy, click Edit in the vulnerabilities library list. The Vulnerability Editor dialog is displayed. Change as required and click Save.

9. To change a template or the classification of a selected vulnerability in the Report Policy, edit the Vulnerability Details section and select Save.
10. To delete a selected vulnerability in the Report Policy, select Delete.

Setting a report policy as the default report policy

You can set one of your report policies as the default in Invicti Enterprise, so you or your team members can attach this default report policy to a scan easily. If required, you can attach a report policy other than the default to a scan while launching a security scan.

• You can select a default report policy from your shared report policies.  
• You can edit your default policy but cannot set it as private or delete it. To delete, first, you must remove its default status from that report policy.
• You can continue using the default report policy even if a user that created the policy is no longer a part of your team or company.
• This feature is only available in Invicti Enterprise On-Demand.

For further information about configuring report policies, see Configuring Report Policy in Invicti Enterprise.

How to set a report policy as the default

1. Log in to Invicti Enterprise.
2. From the main menu, select Settings > General.
3. From the Default Report Policy drop-down menu, select a report policy you want.

4. Select Save.

The report policy you selected appears as the default on the Report Policies page.

How to Create a Custom Report Policy in Invicti Standard

1. From the ribbon, select the Home tab, then Report Policy Editor. The Report Policy Editor dialog is displayed. This consists of a Report Policy list, a vulnerabilities library list (with the full list of vulnerabilities that Invicti scans for) and individual vulnerability details.
2. In the Report Policy Editor, select New. At the top of the Report Policy list, a new Report Policy is displayed.
3. Select the new Report Policy to rename it.
4. In the vulnerabilities library list, browse through it and use the checkboxes to select or deselect those you want to include or exclude from your Scan Report. You can also use the input field at the top to search for a specific vulnerability.
5. For each vulnerability, use the dropdown to change the Severity Level of each vulnerability, if required.
6. To add a new vulnerability to the Report Policy, select New in vulnerabilities library list. The Vulnerability Editor dialog is displayed.

         Fill in the fields as required and select OK.

7. To clone a selected vulnerability to the Report Policy, select Clone in the vulnerabilities library list. The Clone Vulnerability dialog is displayed.

         From the Type drop-down, select the vulnerability type and select OK.

8. To edit a selected vulnerability in the Report Policy, select Edit in the vulnerabilities library list. The Vulnerability Editor dialog is displayed. Change as required and select OK.
9. To delete a selected vulnerability in the Report Policy, select Delete.
10. To overwrite CVSS environmental matrices in all vulnerabilities, select Set Metrics. The Environmental Metrics dialog is displayed.

         Select the drop-down options from the fields as required. Select OK.

11. On the Report Policy Editor, select OK.

How to Clone the Default Report Policy in Invicti Enterprise

1. From the main menu, select Policies > Report Policies.
2. For the relevant policy, select Clone. The New Report Policy tab is displayed.
3. Complete the fields as described from step 2 in How to Create a Custom Report Policy in Invicti Enterprise in Invicti Enterprise.

How to Clone the Default Policy in Invicti Standard

1. From the ribbon, select Home, then Report Policy Editor.
2. Select the relevant policy and select Clone. A cloned version of the relevant policy is displayed with ‘Copy’ after its name.
3. Edit the cloned copy as described from step 3 of How to Create a Custom Report Policy in Invicti Standard.

How to Use a Custom Report Policy in a Scan in Invicti Enterprise

Once you have created a Custom Report Policy, you can use it when creating a New Scan, New Scheduled Scan or New Group Scan.

1. Log in to Invicti Enterprise.
2. From the main menu, select Scans > New Scan. 

3. From the Report Policy drop-down, select your Custom Report Policy.
4. Complete the remaining fields as described in Creating a New Scan.

How to Use a Custom Report Policy in a Scan in Invicti Standard

1. From the ribbon, select Home > New. The Start a New Website or Web Service dialog is displayed.
2. From the Report Policy drop-down, select your Custom Report Policy.
3. Complete the remaining fields as described in Creating a New Scan.

Custom Report Policies FAQ

Question: When I change the severity level of a vulnerability, does this affect the previous scan's reports?

• No, it does not. When you edit a report policy, you need to rerun the scan with the edited report policy; so you can have your new report based on the latest changes.