Basics¶
This document describes the overview of the Policy as Code template schema.
Policy Metadata¶
Each policy has metadata attached to help make it easy to name and tag other metadata.
# Name of the policy
name: Default Policy
General Policy Blocks¶
There are (as of v1.5) 5 different general policy blocks which dictate what policy applies to which to a particular technologies.
codescanning- Code Scanning policydependabot- Dependency Security Alerts (dependabot) policylicensing- Dependency Licensing Alerts (dependency graph) policydependencies- Dependency usage Alerts (dependency graph) policysecretscanning- Secret Scanning Alerts policy
Each of these blocks have a GeneralPolicyModel used which consists of multiple parts; Severity level or Conditional.
Severity Level Policy¶
The first and simplest of these is the level attribute which allows you to specify the severity level of a policy.
This checks the severity of the alert and reports an policy violation if the level matches or higher
# Code Scanning policy setting level to error or above
codescanning:
level: error
There are a number of levels are specified in the standard and are constant:
criticalhigherrorerrorsmediummoderatelowwarningwarningsnotenotes
Conditional Policy¶
The conditional policy attributes allow users to write more complex conditional checks. There are four main rules types to do everything you need to do for all things compliance.
codescanning:
# Warnings will always occur if the rule applies and continues executing to
# other rules.
warnings:
ids:
- Other
- NA
# Ignores are run next so if an ignored rule is hit that matches the level,
# it will be skipped
ignores:
ids:
- MIT License
# Conditions will only trigger and raise an error when an exact match is hit
conditions:
ids:
- GPL-2.0
names:
- tunnel-agent
# The simplest and ultimate rule which checks the severity of the alert and
# reports an issue if the level matches or higher (see PaC Levels for more info)
level: error
