Skip to Content
SCA & DependenciesPolicies & Compliance

Policy and Compliance

Define security policies to enforce organizational standards across your repositories. Policies gate CI/CD pipelines, block risky dependencies, and map findings to compliance frameworks.

Policy Rules

Each policy contains one or more rules. A rule specifies a condition that, when matched, marks the scan as non-compliant.

Rule TypeDescriptionExample Value
CVE BlockBlock specific CVE IDsCVE-2023-44487
Severity ThresholdFail if any finding meets or exceeds severitycritical
Version ConstraintRequire minimum version for a packagelodash >= 4.17.21
License DenyBlock dependencies with prohibited licensesGPL-3.0, AGPL-3.0
Age LimitFlag packages not updated within N days365

Policy-as-Code

Store policy configuration in your repository root as .codestax-policy.yml:

version: 1 rules: - type: severity_threshold value: critical action: block - type: license_deny value: - GPL-3.0 - AGPL-3.0 action: warn - type: cve_block value: - CVE-2023-44487 action: block

When a scan runs, CodeStax merges repo-level policy with any organization-level policy. Repo rules with block action take precedence.

Compliance Framework Mapping

CodeStax maps SCA findings to controls in common compliance frameworks:

FrameworkRelevant Controls
SOC 2 Type IICC7.1 (System monitoring), CC8.1 (Change mgmt)
ISO 27001A.12.6 (Technical vulnerability management)
PCI-DSS v4.06.2 (Bespoke software security), 6.3.2
OWASP Top 10A06:2021 Vulnerable and Outdated Components

CodeStax ships compliance mapping for these four frameworks. HIPAA, NIST CSF, and others are on the roadmap but not yet in the product — if a doc or marketing page claims otherwise, it’s out of date.

Navigate to SCA > Policy > Compliance to view your posture against each framework.

CI/CD Gate Checks

When a scan is triggered by a pull request or CI pipeline, the policy engine evaluates all rules and returns a pass or fail status.

  1. Add the CodeStax check to your CI workflow.
  2. The check calls GET /api/sca/policy/evaluate?repo_id={id}&scan_id={id}.
  3. A block rule violation returns HTTP 403 with details, failing the pipeline.
  4. A warn rule violation returns HTTP 200 with advisory notes.

SCA Status Badge

Embed a live SVG badge in your README to display SCA vulnerability status:

![SCA Status](https://app.codestax.io/api/sca/cicd/badge/{repository_id})

The badge reflects the latest completed SCA scan: it shows the critical count in red when any critical vulnerabilities are present, the total vulnerability count in orange when vulnerabilities remain but none are critical, and passing in green when no vulnerabilities are found.