Skip to main content

Overview

Custom policies evaluate condition logic against supported targets such as vulnerabilities, packages, package versions, manifests, assets, secrets, and code findings. Use custom policies when built-in SLA, package, or manifest policy types do not cover the control you want to express.

Targets

Supported target types are:
  • vulnerability
  • package
  • package_version
  • manifest
  • asset
  • secret
  • code
Each target type supports a different set of condition fields. See Policy condition fields for the source-backed reference. Environment condition fields come from environment mappings, which map repository branches and tags to deployment boundaries.

Condition structure

Conditions use nested groups:
GroupMeaning
allEvery child rule or group must match
anyAt least one child rule or group must match
notNegates one child rule or group
Rules use a field, operator, and value:
Condition rule
{ "field": "severity", "op": "in", "value": ["critical", "high"] }

Operators

Operators depend on the field type:
Field typeCommon operators
String=, !=, in, prefix
Number>, >=, <, <=, =
Boolean=, !=
Arraycontains, overlaps
For in, contains, and overlaps, provide a JSON array value.

Actions

Custom policies can define actions:
ActionPurpose
SLASet a remediation window such as 7d and whether to reset on regression
NotifyNotify selected users or roles when violations are created
SLA action
{
  "sla": {
    "window": "7d",
    "reset_on_regression": true
  }
}

Dry run

Dry run is available for custom policies with a target type. Use it to preview matches for a selected repository before relying on the policy in normal workflows. Dry runs can use the saved condition or a temporary condition override.

JSON import

Custom policies can be imported from JSON. Imported policies are created disabled so they can be reviewed before activation.
Import shape
{
  "name": "Critical production vulnerabilities",
  "target_type": "vulnerability",
  "status": "disabled",
  "applies_by_default": true,
  "enforcement_mode": "block",
  "condition": {
    "all": [
      { "field": "severity", "op": "in", "value": ["critical", "high"] },
      { "field": "environment.is_production", "op": "=", "value": true }
    ]
  },
  "actions": {
    "sla": {
      "window": "7d",
      "reset_on_regression": true
    }
  }
}