Skip to content

Policy Rule Categories

Policy Rule Categories define the type of security findings a policy rule applies to. They establish the scope of evaluation by grouping findings based on their security domain, source, or operational context.

What Are Policy Rule Categories?

A policy rule category represents a class of findings produced by Boost Security scanners and integrations.

Each category groups findings that share:

  • A common security domain (for example, code, dependencies, infrastructure)
  • Similar risk characteristics
  • A consistent set of attributes that can be evaluated by policy actions

In simple terms, a policy rule category answers the question:

Question

What kind of security findings does this rule apply to?

Why Policy Rule Categories Matter

Policy rule categories provide structure and predictability to policy enforcement.

For users, categories make policies easier to reason about.

How Categories Fit Into the Policy Model

Policy rules in Boost Security follow a layered evaluation model:

  1. Policy – A collection of rules and a default action
  2. Rule Category – Defines which findings are in scope
  3. Policy Actions – Apply conditions to those findings
  4. Response – Determines what happens when conditions are met

You can think of categories as the outer boundary of a rule.

Categories vs Rules vs Actions

It’s important to distinguish between these closely related concepts:

Concept Purpose
Policy Rule Category Defines which type of findings are evaluated
Policy Rule Groups a category, actions, and a response
Policy Actions Define conditions under which the rule applies
Response Defines what happens when the rule triggers

A category does not enforce behavior by itself; it only defines scope.

Common Policy Rule Categories

Policy rule categories generally align with the security domain in which a finding exists. Examples include:

  • Static Application Security Testing (SAST) - Findings related to vulnerabilities in application source code.

  • Software Composition Analysis (SCA) - Findings related to third-party and open-source dependencies.

  • Secrets - Findings related to exposed credentials, tokens, or keys.

  • Infrastructure as Code (IaC) - Findings related to insecure cloud or infrastructure configurations.

  • Kubernetes - Findings related to cluster, service, or workload security.

  • Repository & Asset Metadata - Findings derived from repository configuration, visibility, labels, or flags.

Mapping Policy Rule Categories to Supported Actions

Each policy rule category exposes only the actions that are semantically and technically relevant to the type of findings it evaluates.

This design ensures rules remain valid, predictable, and aligned with the underlying security data.

SAST (Static Application Security Testing)

SAST rules evaluate vulnerabilities in application source code.

Commonly supported actions include:

  • Severity
  • Confidence
  • CVSS Score
  • EPSS Score
  • Vulnerability Class
  • Vulnerability Identifiers
  • Vulnerable Code Reached
  • Data Access Reachability
  • Scanner
  • States
  • Original Rule ID

SCA (Software Composition Analysis)

SCA rules evaluate risks introduced by third-party and open-source dependencies.

Commonly supported actions include:

  • Severity
  • CVSS Score
  • EPSS Score
  • OpenSSF Score
  • Transitive Vulnerability
  • Dev Dependency
  • Internet Reachability
  • Vulnerability Identifiers
  • Scanner
  • States
  • Original Rule ID

Secrets

Secrets rules evaluate the exposure of sensitive credentials in code and configuration.

Commonly supported actions include:

  • Secret Type
  • Secret Validity
  • Severity
  • Confidence
  • Personal Information
  • Scanner
  • States
  • Original Rule ID

Kubernetes

Kubernetes rules evaluate cluster, service, and workload security.

Commonly supported actions include:

  • Kubernetes Cluster
  • Kubernetes Service
  • Severity
  • Confidence
  • Internet Reachability
  • Root Access
  • Critical Risk Issues
  • Scanner
  • States
  • Original Rule ID

Repository & Asset Metadata

Repository-level rules evaluate contextual and governance-related attributes.

Commonly supported actions include:

  • Repository Visibility
  • Repository Labels
  • Repository Languages
  • Repository Flags
  • Forked Repo
  • Manual Tags
  • Privileged User

Selecting the Right Category

When defining a policy rule, choose the category based on what you want to control, not how you want to respond.

Ask yourself:

  • Am I targeting application code, dependencies, or infrastructure?
  • Are these findings produced by a specific scanner type?
  • Do I need vulnerability context, runtime reachability, or repository metadata?

Start broad with the correct category, then refine behavior using policy actions.

Best Practices

  • One intent per rule: Avoid overloading a single rule with unrelated categories.

  • Use categories to separate concerns: For example, treat SCA and SAST differently even if severity thresholds are similar.

  • Align categories with ownership: Different teams often own different categories (AppSec, Platform, DevOps).

  • Keep rules predictable: Clear category selection makes policy outcomes easier to explain and defend.

Summary

Policy Rule Categories define what a rule evaluates, not how it reacts.

They:

  • Establish the scope of a rule
  • Ensure only relevant findings are evaluated
  • Enable consistent, scalable policy enforcement

Choosing the correct category is the foundation of effective policy design. Once the category is set, policy actions and responses can be used to express precise enforcement behavior.