fixed stuff and removed placeholders

Author: amaksimovv

docs/assets/demo/fstec-sbom-demo.en.html

@@ -69,7 +69,7 @@
         {
           type: "card",
           title: "A manifest-only run may be incomplete",
-          body: "If the manifest does not expose transitive dependencies, this run does not provide the full component list. In such ecosystems dependency resolution in the environment is recommended for a complete inventory."
+          body: "If the manifest does not expose transitive dependencies, this run does not provide the full component list. A complete inventory requires either a lock file or dependency resolution in a prepared project environment."
         },
         {
           type: "command",
@@ -94,7 +94,7 @@
         {
           type: "card",
           title: "What changed after resolve",
-          body: "The agent used the specified <code>pip</code>, added the <code>pip freeze</code> result as <code>codescoring_pip_for_freeze</code>, saved the scan to a CLI project, and produced a local <code>bom-local.json</code>."
+          body: "The agent used the specified <code>pip</code>, added the dependency resolution result as <code>codescoring_pip_for_freeze</code>, saved the scan to a CLI project, and produced a local <code>bom-local.json</code>. This mode should be run only in a controlled project environment, otherwise extra packages can end up in the SBOM."
         }
       ]
     };

docs/assets/demo/fstec-sbom-demo.html

@@ -69,7 +69,7 @@
         {
           type: "card",
           title: "Обычного запуска может быть недостаточно",
-          body: "Если манифест не раскрывает транзитивные зависимости, такой запуск не даёт полного перечня компонентов. Для качественного инвентаря в таких экосистемах рекомендуется разрешение зависимостей в окружении."
+          body: "Если манифест не раскрывает транзитивные зависимости, такой запуск не даёт полного перечня компонентов. Для качественного инвентаря нужен либо lock-файл, либо запуск с разрешением зависимостей в подготовленном окружении проекта."
         },
         {
           type: "command",
@@ -94,7 +94,7 @@
         {
           type: "card",
           title: "Что изменилось после resolve",
-          body: "Агент использовал <code>pip</code> по указанному пути, добавил результаты <code>pip freeze</code> как <code>codescoring_pip_for_freeze</code>, сохранил анализ в CLI-проекте и сформировал локальный <code>bom-local.json</code>."
+          body: "Агент использовал <code>pip</code> по указанному пути, добавил результат разрешения зависимостей как <code>codescoring_pip_for_freeze</code>, сохранил анализ в CLI-проекте и сформировал локальный <code>bom-local.json</code>. Такой режим стоит запускать только в контролируемом окружении проекта, иначе в SBOM могут попасть лишние пакеты."
         }
       ]
     };

docs/assets/demo/johnny-build-report-demo.en.html

@@ -71,20 +71,20 @@
             "      --create-project \\",
             "      --stage build \\",
             "      --localization en \\",
-            "      --format \"coloredtable,junit>>junit.xml\" \\",
+            "      --format \"coloredtable,sarif>>report.sarif\" \\",
             "      --ignore .git",
             "  artifacts:",
             "    paths:",
             "      - bom.json",
-            "      - junit.xml",
+            "      - report.sarif",
             "    when: always",
             "    expire_in: 1 week"
           ],
           outputDelay: 10
         },
         {
           type: "command",
-          command: "johnny scan dir . --api_token $JOHNNY_API_TOKEN --api_url $JOHNNY_API_URL --project \"billing-service-cli\" --save-results --create-project --stage build --localization en --format \"coloredtable,junit>>junit.xml\" --ignore .git",
+          command: "johnny scan dir . --api_token $JOHNNY_API_TOKEN --api_url $JOHNNY_API_URL --project \"billing-service-cli\" --save-results --create-project --stage build --localization en --format \"coloredtable,sarif>>report.sarif\" --ignore .git",
           output: [
             "Analysis ticket result_id: 8ce150e2-2ef4-45db-81d7-3c32ef407b07",
             "- Wait analysis result...  [7s]",
@@ -141,10 +141,10 @@
         },
         {
           type: "command",
-          command: "ls -1 bom.json junit.xml",
+          command: "ls -1 bom.json report.sarif",
           output: [
             "bom.json",
-            "junit.xml"
+            "report.sarif"
           ],
           outputDelay: 24
         },
@@ -159,7 +159,7 @@
         {
           type: "card",
           title: "Outputs are ready",
-          body: "In this example, the Johnny Agent saved an SBOM, prepared `junit.xml`, and returned code `1` because the policies found issues that need attention."
+          body: "In this example, the Johnny Agent saved an SBOM, prepared `report.sarif`, and returned code `1` because the policies found issues that need attention."
         }
       ]
     };

docs/assets/demo/johnny-build-report-demo.html

@@ -71,20 +71,20 @@
             "      --create-project \\",
             "      --stage build \\",
             "      --localization ru \\",
-            "      --format \"coloredtable,junit>>junit.xml\" \\",
+            "      --format \"coloredtable,sarif>>report.sarif\" \\",
             "      --ignore .git",
             "  artifacts:",
             "    paths:",
             "      - bom.json",
-            "      - junit.xml",
+            "      - report.sarif",
             "    when: always",
             "    expire_in: 1 week"
           ],
           outputDelay: 10
         },
         {
           type: "command",
-          command: "johnny scan dir . --api_token $JOHNNY_API_TOKEN --api_url $JOHNNY_API_URL --project \"billing-service-cli\" --save-results --create-project --stage build --localization ru --format \"coloredtable,junit>>junit.xml\" --ignore .git",
+          command: "johnny scan dir . --api_token $JOHNNY_API_TOKEN --api_url $JOHNNY_API_URL --project \"billing-service-cli\" --save-results --create-project --stage build --localization ru --format \"coloredtable,sarif>>report.sarif\" --ignore .git",
           output: [
             "Analysis ticket result_id: 8ce150e2-2ef4-45db-81d7-3c32ef407b07",
             "- Wait analysis result...  [7s]",
@@ -141,10 +141,10 @@
         },
         {
           type: "command",
-          command: "ls -1 bom.json junit.xml",
+          command: "ls -1 bom.json report.sarif",
           output: [
             "bom.json",
-            "junit.xml"
+            "report.sarif"
           ],
           outputDelay: 24
         },
@@ -159,7 +159,7 @@
         {
           type: "card",
           title: "Результаты готовы",
-          body: "В этом примере агент Johnny сохранил SBOM, подготовил `junit.xml` и вернул код `1`, потому что политики нашли проблемы, требующие внимания."
+          body: "В этом примере агент Johnny сохранил SBOM, подготовил `report.sarif` и вернул код `1`, потому что политики нашли проблемы, требующие внимания."
         }
       ]
     };

docs/tutorials/basic-security-policies.en.md

@@ -6,19 +6,25 @@ title: "Configure a basic set of security policies"
 
 ## Context
 
-After the first analysis in CodeScoring, you usually get a lot of information about dependencies and vulnerabilities, but without policies it is still just a list of findings. A basic set of rules helps separate the most important cases from the general flow of results and makes it easier to understand what deserves attention first.
+After the first analysis in CodeScoring.SCA, you usually get a lot of information about dependencies and vulnerabilities. A basic set of rules helps separate the most important cases from the general flow of results and makes it easier to understand what deserves attention first.
 
-For a practical starting point, three rules at the `source` stage are enough: separately track vulnerabilities that already have a public exploit and a fix, highlight critical direct dependencies, and surface components that were published less than a month ago. This reduces risk quickly without turning the first rollout into a noisy setup or introducing hard blocks too early.
+For VCS projects at the `source` stage, a practical starting point is to create three separate policies:
+
+- one for vulnerabilities that already have a public exploit and a fix;
+- one for direct dependencies with critical vulnerabilities;
+- one for components that were published less than a month ago.
+
+These rules help set priorities faster without overwhelming the team with noisy alerts or introducing hard blocks too early.
 
 !!! tip "Why this starter set works"
-    [OpenSSF](https://best.openssf.org/Concise-Guide-for-Evaluating-Open-Source-Software.html) recommends prioritizing dependency risk instead of treating all findings as equal, and [OWASP](https://owasp.org/www-community/Component_Analysis) notes that direct dependencies are usually the most practical place to start remediation. CodeScoring research also shows that a useful starter set separates three different risk classes: urgent vulnerabilities that are already exploited and already fixable, critical direct dependencies as the most manageable part of the graph, and very young components that have not yet had enough time to accumulate trust signals from the ecosystem.
+    [OpenSSF](https://best.openssf.org/Concise-Guide-for-Evaluating-Open-Source-Software.html) recommends prioritizing dependency risk instead of treating all findings as equal, and [OWASP](https://owasp.org/www-community/Component_Analysis) notes that direct dependencies are usually the most practical place to start remediation. CodeScoring research also shows that a useful starter set separates three different queues: vulnerabilities that are already exploited and already fixable, direct dependencies with critical vulnerabilities, and very young components that still need additional verification before wider use.
 
 ## What you will get
 
-By the end of this scenario, CodeScoring will contain three active policies:
+By the end of this scenario, CodeScoring will contain three active policies for VCS projects at the `source` stage:
 
 - a policy for vulnerabilities with a public exploit and a fixed version at the `source` stage;
-- a policy for critical direct dependencies at the `source` stage;
+- a policy for direct dependencies with critical vulnerabilities at the `source` stage;
 - a policy for very young components at the `source` stage.
 
 After a repeated SCA run, you will be able to see which of these rules already produce useful alerts.
@@ -27,7 +33,7 @@ After a repeated SCA run, you will be able to see which of these rules already p
 
 Before you start, make sure you have:
 
-- access to CodeScoring with permissions to work in `Settings -> Policies`;
+- access to CodeScoring with the `Administrator` or `Security Manager` role;
 - at least one connected VCS project that can be rescanned with SCA;
 - a clear decision on whether this starter set should be applied to all projects immediately or only to a pilot project first.
 
@@ -40,7 +46,7 @@ This rule helps surface not just any vulnerabilities, but the ones that are alre
 1. Go to `Settings -> Policies`.
 2. Click **Create**.
 3. Fill in the policy context:
-    - **Name** — for example, `Source: exploit + fix`;
+    - **Name** — for example, `Exploit and fix`;
     - **Stages** — `source`;
     - **Level** — choose the severity level that fits your process;
     - **Is Active** — enable it;
@@ -51,35 +57,31 @@ This rule helps surface not just any vulnerabilities, but the ones that are alre
     - **Vulnerability has fixed version**.
 6. Click **Create**.
 
-```html
-<!-- VIDEO REQUIRED: In CodeScoring, open Settings -> Policies, create a new policy, set its name, choose the source stage, enable Is Active, keep Blocker disabled, add the Vulnerability has exploit and Vulnerability has fixed version conditions, and save the policy. -->
-<iframe src="https://minio.example.com/path/to/video" style="aspect-ratio: 16 / 9; width: 100%" allow="autoplay; encrypted-media; fullscreen; picture-in-picture; screen-wake-lock;" frameborder="0" allowfullscreen></iframe>
-```
+!!! note "Why Blocker should stay off at first"
+    For a starter set it is more useful to see what the rule really catches and how noisy it is before turning it into an enforcement point. That makes it easier to shape the process without stopping scans or everyday work too early.
 
-After that, the platform will have a rule that raises alerts for the most actionable vulnerability cases in VCS projects.
+After that, the platform will have a rule that creates alerts for the most actionable vulnerability cases in VCS projects.
 
-### Step 2. Create a policy for critical direct dependencies
+### Step 2. Create a policy for direct dependencies with critical vulnerabilities
 
 Starting with direct dependencies is practical because the list is usually smaller and easier to manage than the full dependency graph. These findings are often easier to assign and fix quickly.
 
 1. Open the policy created in the previous step.
 2. Click **Create a copy**.
 3. Change the main fields:
-    - **Name** — for example, `Source: direct critical dependency`;
+    - **Name** — for example, `Direct dependency with a critical vulnerability`;
     - **Stages** — keep `source`;
     - **Is Active** — keep it enabled;
     - **Blocker** — keep it disabled.
-4. Remove the previous conditions and create a new group with the **AND** expression:
-    - **Relation** = `direct`;
+4. Remove the previous conditions and create a top-level group with the **AND** expression:
+    - **Relation** = `direct`.
+5. Inside that group, create a nested group with the **OR** expression and add:
+    - **CVSS2 Severity** = `critical`;
+    - **CVSS3 Severity** = `critical`;
     - **CVSS4 Severity** = `critical`.
-5. Click **Create**.
-
-```html
-<!-- VIDEO REQUIRED: On the existing policy page, click Create a copy, change the name, keep the source stage, replace the conditions with Relation = direct and CVSS4 Severity = critical, and save the new policy. -->
-<iframe src="https://minio.example.com/path/to/video" style="aspect-ratio: 16 / 9; width: 100%" allow="autoplay; encrypted-media; fullscreen; picture-in-picture; screen-wake-lock;" frameborder="0" allowfullscreen></iframe>
-```
+6. Click **Create**.
 
-At this point, the starter set also includes a separate rule for severe issues in dependencies that the team controls directly.
+At this point, the starter set also includes a separate rule for direct dependencies that have at least one critical severity signal in one of the CVSS versions.
 
 ### Step 3. Create an informational policy for very young components
 
@@ -90,21 +92,20 @@ This rule helps isolate dependencies that were published very recently. For a st
 
 1. In `Settings -> Policies`, click **Create** again.
 2. Fill in the policy context:
-    - **Name** — for example, `Source: young component`;
+    - **Name** — for example, `Component younger than 30 days`;
     - **Stages** — `source`;
     - **Is Active** — enable it;
     - **Blocker** — keep it disabled.
 3. If you want a gradual rollout, specify a pilot project in **Projects** if needed.
-4. In the conditions block, create one group with the **AND** expression and add:
-    - **Dependency age (days)** < `30`.
+4. In the conditions block, create a top-level group with the **OR** expression:
+    - in the first **AND** group, add **Dependency age (days)** < `30`;
+    - in the second **AND** group, optionally add a condition for dependencies where age information is missing.
 5. Click **Create**.
 
 If you want to refine the threshold later or extend the rule, the full list of supported criteria is described in [policy setup](/on-premise/how-to/policies.en).
 
-```html
-<!-- VIDEO REQUIRED: In CodeScoring, create a new policy, choose the source stage, enable Is Active, keep Blocker disabled, optionally specify a project, add the Dependency age (days) < 30 condition, and save the policy. -->
-<iframe src="https://minio.example.com/path/to/video" style="aspect-ratio: 16 / 9; width: 100%" allow="autoplay; encrypted-media; fullscreen; picture-in-picture; screen-wake-lock;" frameborder="0" allowfullscreen></iframe>
-```
+!!! note "What to keep in mind about dependency age"
+    The platform determines the dependency publication date for supported ecosystems. Before rolling this rule out to all projects, it is better to validate it on a pilot project first and confirm that the criterion behaves as expected for your packages and sources.
 
 After that, very recently published components start appearing in a separate alert stream, making it easier to review them before they spread widely across projects.
 
@@ -118,14 +119,9 @@ Policies start working during analysis, so after configuring them it is worth ve
 4. Open the `Policy alerts` section.
 5. Check whether new alerts appear for:
     - vulnerabilities with an exploit and a fix;
-    - critical direct dependencies;
+    - direct dependencies with critical vulnerabilities;
     - very young components.
 
-```html
-<!-- VIDEO REQUIRED: On the project page, start an SCA run, wait until it finishes, then open Policy alerts and show alerts triggered by the new source-stage policies. -->
-<iframe src="https://minio.example.com/path/to/video" style="aspect-ratio: 16 / 9; width: 100%" allow="autoplay; encrypted-media; fullscreen; picture-in-picture; screen-wake-lock;" frameborder="0" allowfullscreen></iframe>
-```
-
 At this point, the starter set is already in use: all three rules produce alerts after analysis and separate the most important cases into different review tracks.
 
 ## Result