Policies
Workspace Policy
Workspace policies apply to all projects in your organization. They define organization-wide security and quality standards.
Configure workspace policies in your dashboard settings. These policies serve as defaults for all projects unless overridden by project-level policies.
Project-Level Policy
Project-level policies override workspace policies for specific projects. This allows you to have stricter rules for sensitive projects or more lenient rules for experimental codebases.
Create a policy.yaml file in your project root or configure it via the dashboard.
YAML Examples
version: 1
min_trust: 80 # Minimum TrustScore required for merge
fail_on: ["critical", "high"] # Severities that block merge
static_rules:
disallow_raw_sql: true
jwt_signing_algorithms: ["RS256"]
banned_calls:
- eval
- child_process.exec
- execSync
llm_checks:
require_explanation: true
depth: "auto" # mini|large|auto
dependency:
allow_licenses: ["MIT", "Apache-2.0", "BSD-3-Clause"]
deny_licenses: ["AGPL-3.0", "GPL-3.0"]
supply_chain:
max_cvss: 7.0 # Maximum CVSS score allowed
report:
formats: ["sarif", "json", "md"]
keep_days: 30Save this as .syntaxvalid/policy.yaml or policy.yaml in your project root.
Configuration Options
min_trust
Minimum TrustScore (0-100) required for merge. Default: 80
min_trust: 80fail_on
Severity levels that will block merge: ["critical", "high", "medium", "low"]
fail_on: ["critical", "high"]static_rules
Static analysis rules configuration:
disallow_raw_sql: Block raw SQL queriesjwt_signing_algorithms: Allowed JWT algorithmsbanned_calls: List of banned function calls
static_rules:
disallow_raw_sql: true
jwt_signing_algorithms: ["RS256"]
banned_calls: ["eval", "exec"]dependency
License allow/deny lists for dependency scanning:
dependency:
allow_licenses: ["MIT", "Apache-2.0"]
deny_licenses: ["GPL-3.0"]supply_chain
Supply chain security configuration:
supply_chain:
max_cvss: 7.0 # Maximum CVSS score allowedFail-on Severities
The fail_on option determines which severity levels will block a merge: