Policy Configuration
Example policy.yaml
version: 1
min_trust: 80 # Lower threshold for PR merge
fail_on: ["critical", "high"]
static_rules:
disallow_raw_sql: true
jwt_signing_algorithms: ["RS256"]
banned_calls:
- eval
- child_process.exec
llm_checks:
require_explanation: true
depth: "auto" # mini|large|auto
dependency:
allow_licenses: ["MIT", "Apache-2.0", "BSD-3-Clause"]
deny_licenses: ["AGPL-3.0", "GPL-3.0"]
supply_chain:
max_cvss: 7.0
report:
formats: ["sarif", "json", "md"]
keep_days: 30Configuration Options
min_trust
Minimum TrustScore (0-100) required for merge. Default: 80
fail_on
Severity levels that will block merge: ["critical", "high", "medium", "low"]
static_rules
Static analysis rules: disallow_raw_sql, banned_calls, jwt_signing_algorithms
dependency
License allow/deny lists for dependency scanning