Skip to content

Policy Actions vs Policy Rule Categories

Policy rule categories and policy actions are closely related, but they serve different purposes within BoostSecurity’s policy engine.

Understanding the distinction helps you design clearer rules and avoid unexpected policy behavior.

Policy Rule Categories

Policy rule categories define what type of security findings a rule applies to.

They act as the scope of a rule by grouping findings based on their origin or domain, such as:

  • SAST
  • SCA
  • Secrets
  • IaC
  • Kubernetes
  • Repository metadata

In other words, the rule category answers the question:

Question

“Which class of findings should this rule evaluate?”

A rule can only evaluate actions that are relevant to its selected category.

Policy Actions

Policy actions define how findings within a rule category are evaluated.

They act as filters or conditions that refine which findings match a rule. Actions evaluate specific attributes of a finding—such as severity, exploitability, reachability, confidence level, or repository context.

Policy actions answer the question:

Question

“Under what conditions should this rule trigger?”

Actions are combined within a rule to express precise intent, for example:

  • Only critical vulnerabilities
  • Only internet-reachable components
  • Only exploitable vulnerabilities with high confidence
  • Only findings in public repositories

How They Work Together

Policy rule categories and policy actions work together in a layered way:

  1. Rule category determines which findings are eligible
  2. Policy actions narrow that set by applying conditions
  3. Rule response defines what happens when a finding matches

You can think of it as:

Category = scope

Actions = filters

Response = outcome

When building policies, start by thinking of the right category, then use policy actions to precisely target the findings that matter most.