Skip to Content
SCA & DependenciesPolicies & Compliance

Policy and Compliance

Define security policies to enforce organizational standards across your repositories. Policies gate CI/CD pipelines, block risky dependencies, and map findings to compliance frameworks.

Policy Rules

Each policy contains one or more rules. A rule specifies a condition that, when matched, marks the scan as non-compliant.

Rule TypeDescriptionExample Value
CVE BlockBlock specific CVE IDsCVE-2023-44487
Severity ThresholdFail if any finding meets or exceeds severitycritical
Version ConstraintRequire minimum version for a packagelodash >= 4.17.21
License DenyBlock dependencies with prohibited licensesGPL-3.0, AGPL-3.0
Age LimitFlag packages not updated within N days365

Policy-as-Code

Store policy configuration in your repository root as .codestax-policy.yml:

version: 1
rules:
  - type: severity_threshold
    value: critical
    action: block
  - type: license_deny
    value:
      - GPL-3.0
      - AGPL-3.0
    action: warn
  - type: cve_block
    value:
      - CVE-2023-44487
    action: block

When a scan runs, CodeStax merges repo-level policy with any organization-level policy. Repo rules with block action take precedence.

Compliance Framework Mapping

CodeStax maps SCA findings to controls in common compliance frameworks:

FrameworkRelevant Controls
PCI-DSS 46.2 (Bespoke software security), 6.3.2
SOC 2CC7.1 (System monitoring), CC8.1
ISO 27001A.12.6 (Technical vulnerability management)
NIST CSFID.RA (Risk Assessment), PR.IP-12
HIPAA164.312(a)(1) (Access control)

Navigate to SCA > Policy > Compliance to view your posture against each framework.

CI/CD Gate Checks

When a scan is triggered by a pull request or CI pipeline, the policy engine evaluates all rules and returns a pass or fail status.

  1. Add the CodeStax check to your CI workflow.
  2. The check calls GET /api/sca/policy/evaluate?repo_id={id}&scan_id={id}.
  3. A block rule violation returns HTTP 403 with details, failing the pipeline.
  4. A warn rule violation returns HTTP 200 with advisory notes.

Compliance Badge

Embed a live SVG badge in your README to display policy status:

![Policy Status](https://app.codestax.io/api/sca/badge/{repo_id}/policy.svg)

The badge shows passing (green), warning (yellow), or failing (red) based on the latest scan evaluation.

SARIF Import/ExportIgnore Rules