Overview
Custom policies evaluate condition logic against supported targets such as vulnerabilities, packages, package versions, manifests, assets, secrets, and code findings. Use custom policies when built-in SLA, package, or manifest policy types do not cover the control you want to express.Targets
Supported target types are:vulnerabilitypackagepackage_versionmanifestassetsecretcode
Condition structure
Conditions use nested groups:| Group | Meaning |
|---|---|
all | Every child rule or group must match |
any | At least one child rule or group must match |
not | Negates one child rule or group |
Condition rule
Operators
Operators depend on the field type:| Field type | Common operators |
|---|---|
| String | =, !=, in, prefix |
| Number | >, >=, <, <=, = |
| Boolean | =, != |
| Array | contains, overlaps |
in, contains, and overlaps, provide a JSON array value.
Actions
Custom policies can define actions:| Action | Purpose |
|---|---|
| SLA | Set a remediation window such as 7d and whether to reset on regression |
| Notify | Notify selected users or roles when violations are created |
SLA action
Dry run
Dry run is available for custom policies with a target type. Use it to preview matches for a selected repository before relying on the policy in normal workflows. Dry runs can use the saved condition or a temporary condition override.JSON import
Custom policies can be imported from JSON. Imported policies are created disabled so they can be reviewed before activation.Import shape