Policy and Compliance

Define security policies to enforce organizational standards across your repositories. Policies gate CI/CD pipelines, block risky dependencies, and map findings to compliance frameworks.

Policy Rules

Each policy contains one or more rules. A rule specifies a condition that, when matched, marks the scan as non-compliant.

Policy-as-Code

Store policy configuration in your repository root as .codestax-policy.yml:

version: 1
rules:
  - type: severity_threshold
    value: critical
    action: block
  - type: license_deny
    value:
      - GPL-3.0
      - AGPL-3.0
    action: warn
  - type: cve_block
    value:
      - CVE-2023-44487
    action: block

When a scan runs, CodeStax merges repo-level policy with any organization-level policy. Repo rules with block action take precedence.

Compliance Framework Mapping

CodeStax maps SCA findings to controls in common compliance frameworks:

CodeStax ships compliance mapping for these four frameworks. HIPAA, NIST CSF, and others are on the roadmap but not yet in the product — if a doc or marketing page claims otherwise, it’s out of date.

Navigate to SCA > Policy > Compliance to view your posture against each framework.

CI/CD Gate Checks

When a scan is triggered by a pull request or CI pipeline, the policy engine evaluates all rules and returns a pass or fail status.

1. Add the CodeStax check to your CI workflow.
2. The check calls GET /api/sca/policy/evaluate?repo_id={id}&scan_id={id}.
3. A block rule violation returns HTTP 403 with details, failing the pipeline.
4. A warn rule violation returns HTTP 200 with advisory notes.

Compliance Badge

Embed a live SVG badge in your README to display policy status:

![Policy Status](https://app.codestax.io/api/sca/badge/{repo_id}/policy.svg)

The badge shows passing (green), warning (yellow), or failing (red) based on the latest scan evaluation.