Skip to content

How to Create a New Policy

Creating a policy involves establishing rules and assigning corresponding actions for triggered events. Here's a step-by-step guide:

  1. Navigate to the Policy page and click on the New Policy button at the top-right corner.

    New policy

  2. Provide a Name and Description for your policy, e.g., Disallowed Licenses, Severity Indicator, e.t.c.

    Add Name and Description

  3. Select an action for the rule if you're not using the default action (Do not notify developers), which includes:

    • Fail the check - This action would fail the check.
    • Add a comment to the PR - This action would add a comment to the PR.
    • Send a notification - This action would send a notification to your configured integrations (Slack, Teams, or Webhook). You need to select either of the integrations and add the name of the channel or webhook.
    • Create a ticket - This action would create a ticket. You need to add a project name here.
    • Drop - This action would drop all the findings generated by the policy
    • Suppress - This action would suppress the findngs.

    You can select more than one rule as your default action for the policy.

    Enable ZTP

  4. Click the Add Rule button.

    Add Rules

  5. Click the Add Action button to define an action path for the rule. There are several action paths your rule can take which includes:

    • OpenSSF Score - This action checks for OpenSSF. OpenSSF Score is a collection of security health metrics for open source, allowing users to evaluate the security practices of an open source package in your codebase.
    • EPSS Score - This can be used to target EPSS in your code. EPSS (Exploit Prediction Scoring System) measures how likely a particular vulnerability is to be exploited.
    • CVSS Score - CVSS generates a score from 0 to 10 based on the severity of a vulnerability.
    • Vulnerability ID - This action checks for the vulnerability via it's id in your code.
    • Confidence - This action would check for scenarios if the confidence level of a vulnerability is High, Medium, or Low.
    • Severity - This action would check for severity of findings in a Critical, Warning or Minor states.

    Add Action

  6. Select any of the action paths but for this guide, let's select Severity as a action path.

    Select Severity

  7. Select the >= symbol to set the condition for the action path (i.e., "Severity" >= "Warning"). This indicates that when the "Severity" is greater than or equal to "Warning", the action is to "Add a comment to the pull request".

    Select Symbol

    Select rule

    Add Condition

Save your progress.


You can add multiple "Actions" for a given "Condition" by clicking the +Action button.