Skip to main content

Overview

Policies define rules that Cysmiq evaluates against security data in a workspace. They help teams track remediation deadlines, warn on risky changes, block releases, and manage package or manifest allow and deny decisions.
Availability depends on your Cysmiq plan.

Policy lifecycle

SettingValuesWhat it controls
StatusActive, DisabledWhether the policy is evaluated
EnforcementMonitor, Warn, BlockHow strongly matching violations affect workflows
Default applicationApplies by default or explicit bindingsWhether the policy applies broadly or only where it is bound

Enforcement modes

ModeBehavior
MonitorRecords matching policy violations for review
WarnRecords violations and marks them as warning-level enforcement
BlockRecords violations as blocking enforcement for connected workflows
The effective enforcement mode can come from the policy, a policy binding, or an override.

Policy types

Policy typePurpose
Vulnerability SLATrack remediation windows for vulnerabilities
Package allow/denyGovern package use with package rules and package decisions
Manifest allow/denyGovern manifest files and dependency file types
CustomEvaluate custom condition logic against supported policy targets
See Package and manifest policies for allow and deny rules. See Custom policies for condition-based policies.

Templates

Policy templates provide starting points for common controls. Templates can be adopted into workspace policies, reviewed, adjusted, and activated. Template groups can apply multiple related templates together. Adopted templates become normal policies that can be edited, disabled, cloned, or deleted.

Bindings and overrides

Bindings control where a policy applies and how it behaves at a scope. Supported binding modes are:
Binding modeMeaning
Use policy defaultsApply the policy’s configured behavior
Customize settingsOverride enforcement or supported policy-specific settings for the scope
Disable policyDisable the policy for the scope
Policy evaluation resolves workspace, organization, repository, application, asset, manifest, reference, and environment scopes. More specific scopes are evaluated before broader scopes. Policy rule forms and global opt-outs currently expose workspace, organization, repository, and application scopes. Global opt-outs can disable policies for selected workspace, organization, repository, or application scopes.