Policy and Compliance
Define security policies to enforce organizational standards across your repositories. Policies gate CI/CD pipelines, block risky dependencies, and map findings to compliance frameworks.
Policy Rules
Each policy contains one or more rules. A rule specifies a condition that, when matched, marks the scan as non-compliant.
| Rule Type | Description | Example Value |
|---|---|---|
| CVE Block | Block specific CVE IDs | CVE-2023-44487 |
| Severity Threshold | Fail if any finding meets or exceeds severity | critical |
| Version Constraint | Require minimum version for a package | lodash >= 4.17.21 |
| License Deny | Block dependencies with prohibited licenses | GPL-3.0, AGPL-3.0 |
| Age Limit | Flag packages not updated within N days | 365 |
Policy-as-Code
Store policy configuration in your repository root as .codestax-policy.yml:
version: 1
rules:
- type: severity_threshold
value: critical
action: block
- type: license_deny
value:
- GPL-3.0
- AGPL-3.0
action: warn
- type: cve_block
value:
- CVE-2023-44487
action: blockWhen a scan runs, CodeStax merges repo-level policy with any organization-level policy. Repo rules with block action take precedence.
Compliance Framework Mapping
CodeStax maps SCA findings to controls in common compliance frameworks:
| Framework | Relevant Controls |
|---|---|
| SOC 2 Type II | CC7.1 (System monitoring), CC8.1 (Change mgmt) |
| ISO 27001 | A.12.6 (Technical vulnerability management) |
| PCI-DSS v4.0 | 6.2 (Bespoke software security), 6.3.2 |
| OWASP Top 10 | A06:2021 Vulnerable and Outdated Components |
CodeStax ships compliance mapping for these four frameworks. HIPAA, NIST CSF, and others are on the roadmap but not yet in the product — if a doc or marketing page claims otherwise, it’s out of date.
Navigate to SCA > Policy > Compliance to view your posture against each framework.
CI/CD Gate Checks
When a scan is triggered by a pull request or CI pipeline, the policy engine evaluates all rules and returns a pass or fail status.
- Add the CodeStax check to your CI workflow.
- The check calls
GET /api/sca/policy/evaluate?repo_id={id}&scan_id={id}. - A
blockrule violation returns HTTP 403 with details, failing the pipeline. - A
warnrule violation returns HTTP 200 with advisory notes.
SCA Status Badge
Embed a live SVG badge in your README to display SCA vulnerability status:
The badge reflects the latest completed SCA scan: it shows the critical count in red when any critical vulnerabilities are present, the total vulnerability count in orange when vulnerabilities remain but none are critical, and passing in green when no vulnerabilities are found.