# Git Posture Policies Git Posture policies assess repository, organization, and user configurations that affect source control security and governance. These policies focus on access control, branch protection, review practices, authentication, ownership, and repository hygiene. Proper Git posture reduces the risk of unauthorized changes, account compromise, supply chain attacks, and loss of control over source code. The article describes the policies in this category, configuration options, and the impact of policy violations. For an overview of policies and policy management, see the [Policies ](https://docs.ox.security/ox-policies)article.

## Source control policy coverage Open the accordion to view the list of Git Posture policies supported for each source control.

Policies supported for each source control manager

Policy (A-Z)	GitHub	GitLab	Azure Repos	Bitbucket Cloud
Bot user is a repo admin	✓	✓	✓	✓
Bot user is an org owner	✓	✓	✓	✓
Branch protection not enforced	✓	✓	✓	✓
Branch protection code review can be ignored by developer	✓	✓	✓	✓
Branch protection code review can be ignored by outside collaborator	✓	✓	✓	✓
Branch protection push restriction can be ignored by developer	✓	✓	✓	✓
Branch protection push restriction can be ignored by outside collaborator	✓	✓	✓	✓
Branch protection allows unsigned commits	✓	✓	✓	✓
CODEOWNERS file missing in repo	✓	✓	—	✓
External user has access to repo	✓	✓	✓	✓
Missing 2FA in organization	✓	✓	✓	✓
Outside collaborator not using 2FA	✓	✓	✓	✓
Protected branch can be deleted by a non-admin	✓	✓	✓	✓
Repo admin with no admin activity	✓	✓	✓	✓
Org owner with no admin activity	✓	✓	✓	✓
Single owner in org	✓	✓	✓	✓
Too many org owners	✓	✓	✓	✓
Too many repo admins	✓	✓	✓	✓
Developer did not write code in repo	✓	✓	✓	✓
Outside collaborator is a repo admin	✓	✓	✓	✓
Outside collaborator is repo maintainer	✓	✓	✓	✓
Outside collaborator with no activity	✓	✓	✓	✓
Unreviewed code change	✓	✓	✓	✓
Veteran developer review required	✓	✓	✓	✓
Security Policy file missing in repo	✓	✓	—	✓
Repo wiki publicly available	✓	✓	—	✓
Personal public repo detected	✓	✓	—	✓
Public repo detected	✓	✓	—	✓
Private personal repo fork detected	✓	✓	—	✓
Private repo forking is enabled	✓	✓	—	✓
Unarchived stale repo	✓	✓	✓	✓

## View and manage Git Posture policies Open each policy to view the business impact and optional settings.

Bot user is a repo admin

**Purpose:** Detects repositories where a bot account is assigned administrator-level permissions. **Supported source control managers:** * GitHub * GitLab * Azure * Bitbucket Cloud **Business impact:** Bot accounts are not tied to individual users and compromises may go unnoticed for extended periods. Administrative access allows broad control over repository settings and code. This increases the risk of unauthorized changes, persistent access, and supply chain compromise.

Setting	Description	Default
ON/OFF (toggle)	Enable/disable the policy.	ON
Ignore Application Business Priority for severity calculation (checkbox)	When enabled, severity is not adjusted based on application priority.	OFF
Bot Identification Settings	Strings used to identify bots in your organization. Click to add strings.	Current setting
Ignore if admin activity seen (toggle)	Ignores all bots that have known admin activity. The setting is ignored if Audit Log permissions are not available.	ON
Ignore if a user is admin in multiple repos	This will ignore all bots that are admins of more than the selected number of repos	Current setting
Audit log access	Grant Ox access to your source control platform's audit logs. This enables the detection of admin activity across all repositories. The access is required for Ox to accurately evaluate policies related to administrative functions.	Required

Bot user is an org owner

**Purpose: Detects** organizations where a bot account is assigned the organization owner role. **Supported Source Control Managers:** * GitHub * GitLab * Azure * Bitbucket Cloud **Business impact:** Organization owner privileges grant full administrative control across all repositories and settings. A compromised bot account may remain undetected and enable persistent, unrestricted access. This significantly increases the risk of large-scale unauthorized changes and organizational compromise.

Setting

Description

Default

ON/OFF (toggle)

Enable/disable the policy.

Ignore Application Business Priority for severity calculation (checkbox)

When enabled, severity is not adjusted based on application priority.

OFF

Bot Identification Settings

Strings used to identify bots in your organization.

Click to add strings.

Current setting

Branch protection allows unsigned commits

**Purpose:** Detects repositories where branch protection does not require commits to be signed. **Supported Source Control Managers:** * GitHub * GitLab **Business impact:** Unsigned commits make it easier to spoof commit authorship. Attackers can introduce code that appears to come from trusted developers. This weakens code provenance and increases the risk of unauthorized or malicious changes.

Setting	Description	Default
ON/OFF (toggle)	Enable/disable the policy.	ON
Repo Visibility (dropdown)	Determines if this policy applies to public repos, private repos or both.	Current setting
Ignore Business Priority Less Than	Ignore repos with Business Priority less than the number entered.	Current setting
Ignore Application Business Priority for severity calculation (checkbox)	When enabled, severity is not adjusted based on application priority.	OFF

Branch protection code review can be ignored by developer

**Purpose:** Detects repositories where branch protection settings allow developers to bypass required code reviews. **Supported Source Control Managers:** * GitHub **Business impact:** Allowing developers to ignore code review requirements weakens a key security and quality control. Compromised accounts can push unreviewed or malicious changes to protected branches. This increases security risk and may lead to non-compliance with standards such as SOC 2, PCI DSS, and ISO 27001.

Setting	Description	Default
ON/OFF (toggle)	Enable/disable the policy.	ON
Repo Visibility (dropdown)	Choose if the policy applies to private, public or all repo types.	Current setting
Ignore Business Priority Less Than	Ignore repos with Business Priority less than the number entered.	Current setting
Choose an Available Fix for a Violation	Pick between the options of available fixes for violation.	Current setting
Ignore Application Business Priority for severity calculation (checkbox)	When enabled, severity is not adjusted based on application priority.	OFF

Branch protection code review can be ignored by outside collaborator

**Purpose:** Detects repositories where branch protection settings allow outside collaborators to bypass required code reviews. **Supported Source Control Managers:** * GitHub **Business impact**: Allowing outside collaborators to bypass code reviews weakens a key safeguard against bugs and malicious changes. A compromised external account can push unreviewed code to protected branches. This increases security risk and may result in non-compliance with standards such as SOC 2, PCI DSS, and ISO 27001.

Setting	Description	Default
ON/OFF (toggle)	Enable/disable the policy.	ON
Repo Visibility (dropdown)	Choose if the policy applies to private, public or all repo types.	Current setting
Ignore Business Priority Less Than	Ignore repos with Business Priority less than the number entered.	Current setting
Choose an Available Fix for a Violation	Pick between the options of available fixes for violation.	Current setting
Ignore Application Business Priority for severity calculation (checkbox)	When enabled, severity is not adjusted based on application priority.	OFF

Branch protection not enforced

**Purpose:** Detects repositories where branch protection is not configured to require code reviews and restrict direct push events. **Supported Source Control Managers:** * GitHub * GitLab * BitBucket Cloud **Business impact:** Without enforced branch protection, code changes can bypass review and approval. Compromised accounts may push malicious or insecure code directly to protected branches. This increases security risk and may result in non-compliance with standards such as SOC 2, PCI DSS, and ISO 27001.

Setting	Description	Default
ON/OFF (toggle)	Enable/disable the policy.	ON
Repo Visibility (dropdown)	Choose if the policy applies to private, public or all repo types.	Current setting
Ignore Business Priority Less Than	Ignore repos with Business Priority less than the number entered.	Current setting
Ignore Application Business Priority for severity calculation (checkbox)	When enabled, severity is not adjusted based on application priority.	OFF
Choose developers that can bypass branch code	Type in usernames of restricted developers that can bypass branch code reviews. Click to add.	Current setting

Branch protection push restriction can be ignored by developer

**Purpose:** Detects repositories where branch protection settings allow developers to bypass push restrictions on protected branches. **Supported Source Control Managers:** * GitHub * GitLab **Business impact:** Allowing developers to bypass push restrictions weakens enforcement of code review and approval controls. A compromised developer account can push unreviewed or malicious changes directly to protected branches. This increases security risk and may lead to non-compliance.

Setting	Description	Default
ON/OFF (toggle)	Enable/disable the policy.	ON
Repo Visibility	Determines if this policy applies to public repos, private repos or both.	Current setting
Ignore Business Priority Less Than	Ignore repos with Business Priority less than the number entered.	Current setting
Ignore Application Business Priority for severity calculation (checkbox)	When enabled, severity is not adjusted based on application priority.	OFF

Branch protection push restriction can be ignored by outside collaborator

**Purpose:** Detects repositories where branch protection settings allow outside collaborators to bypass push restrictions on protected branches. **Supported Source Control Managers:** * GitHub * GitLab **Business impact:** Allowing outside collaborators to bypass push restrictions weakens enforcement of review and approval controls. A compromised external account can push unreviewed or malicious changes to protected branches. This increases security risk and may result in non-compliance with standards such as SOC 2, PCI DSS, and ISO 27001.

Setting	Description	Default
ON/OFF (toggle)	Enable/disable the policy.	ON
Repo Visibility	Determines if this policy applies to public repos, private repos or both.	Current setting
Ignore Business Priority Less Than	Ignore repos with Business Priority less than the number entered.	Current setting
Ignore Application Business Priority for severity calculation (checkbox)	When enabled, severity is not adjusted based on application priority.	OFF

Branch protection allows unsigned commits

**Purpose**: Detects repositories with no recent activity that remain unarchived. **Supported Source Control Managers:** * GitHub * GitLab * Bitbucket Cloud **Business impact:** Inactive repositories that remain writable increase the risk of unnoticed changes or misuse. Stale code may be reintroduced into builds or deployments without proper context. Archiving unused repositories reduces the attack surface and clarifies that the code is no longer maintained.

Setting	Description	Default
ON/OFF (toggle)	Enable/disable the policy.	ON
Months Since Change	Choose a minimum number of months before a violation could occur	Current setting
Repo Type (dropdown)	Choose if the policy applies to private, public or all repo types.	Current setting
Ignore Application Business Priority for severity calculation (checkbox)	When enabled, severity is not adjusted based on application priority.	OFF

CODEOWNERS file missing in repo

**Purpose**: Detects repositories that do not contain a CODEOWNERS file to define required reviewers. **Supported Source Control Managers:** * GitHub * GitLab * Azure * Bitbucket Cloud **Business impact:** Without a CODEOWNERS file, pull requests may not receive review from appropriate maintainers. Code changes can be approved by users without relevant expertise. This reduces review quality and weakens branch protection effectiveness.

Setting	Description	Default
ON/OFF (toggle)	Enable/disable the policy.	ON
Repo types applied by the policy (dropdown)	Choose if the policy applies to private, public, or all repo types	Current setting
Ignore Application Business Priority for severity calculation (checkbox)	When enabled, severity is not adjusted based on application priority.	OFF
Branch Protection (Required Reviews) (checkbox)	Determine if the policy applies only to repos with branch protection turned on	ON

Developer did not write code in repo

**Purpose:** Detects users with write access to a repository who have not contributed code to it. **Supported Source Control Managers:** * GitHub * GitLab * Azure * Bitbucket Cloud **Business impact:** Unused write access increases the attack surface for account compromise. A compromised account with write permissions can tamper with code or configurations. Reducing unnecessary access lowers the risk of unauthorized changes.

Setting

Description

Default

ON/OFF (toggle)

Enable/disable the policy.

Ignore Application Business Priority for severity calculation (checkbox)

When enabled, severity is not adjusted based on application priority.

OFF

External user has access to repo

**Purpose:** Detects repositories where users outside the organization have ongoing access. **Supported Source Control Managers:** * Source Control Managers * GitHub * GitLab * Azure * Bitbucket Cloud **Business impact:** External access increases the attack surface for account compromise. A compromised external account can introduce malicious code as part of a supply chain attack. This raises the risk of unauthorized changes and downstream impact on applications that consume the code.

Setting	Description	Default
ON/OFF (toggle)	Enable/disable the policy.	OFF
Email Domains (Suffix)	Choose the email domains that should have access to the build systems. Click to add.	Current setting
Repo Type (dropdown)	Choose if the policy applies to private, public or all repo types.	Current setting
Ignore Application Business Priority for severity calculation (checkbox)	When enabled, severity is not adjusted based on application priority.	OFF

Git Posture repo wiki publicly editable

**Purpose:** Detects repositories where the wiki is publicly editable by users outside the repository collaborators. **Supported Source Control Managers:** * GitHub **Business impact:** Publicly editable wikis can be abused to insert malicious links or misleading content. Attackers may direct users to download compromised binaries or artifacts. This increases the risk of malware distribution and supply chain attacks.

Setting

Description

Default

ON/OFF (toggle)

Enable/disable the policy.

Ignore Application Business Priority for severity calculation (checkbox)

When enabled, severity is not adjusted based on application priority.

OFF

License file missing in repo

**Purpose:** Detects repositories where users outside the organization have ongoing access. **Supported Source Control Managers:** * GitHub * GitLab * Azure * Bitbucket Cloud **Business impact:** External access increases the attack surface for account compromise. A compromised external account can introduce malicious code as part of a supply chain attack. This raises the risk of unauthorized changes and downstream impact on applications that consume the code.

Setting	Description	Default
ON/OFF (toggle)	Enable/disable the policy.	ON
Repo Visibility (dropdown)	Determines if this policy applies to public repos, private repos or both.	Current setting
License File Name	License File names to search for. Click to add.	Current setting
Ignore Application Business Priority for severity calculation (checkbox)	When enabled, severity is not adjusted based on application priority.	OFF

Missing 2FA in organization

**Purpose:** Detects organizations where two-factor authentication (2FA) is not enforced for user access. **Supported Source Control Managers:** * GitHub * GitLab * Azure * Bitbucket Cloud **Business impact:** Lack of 2FA increases the likelihood of account compromise through credential theft. Compromised accounts may grant attackers access to repositories and administrative functions. This raises the risk of unauthorized changes and large-scale security incidents.

Setting

Description

Default

ON/OFF (toggle)

Enable/disable the policy.

Enforce for (dropdown)

Choose what type of users the policy will apply to: Admin, Member, Admin or Member.

Current setting

Ignore Application Business Priority for severity calculation (checkbox)

When enabled, severity is not adjusted based on application priority.

OFF

Org owner with no admin activity

Purpose: Detects organization or first-level group owners who retain administrative privileges without recent administrative activity. Supported Source Control Managers: * GitHub * GitLab * Azure * BitBucket Cloud Business impact: Inactive owners retain full control over repositories and user management. Accounts belonging to former employees or unused identities increase the risk of unnoticed compromise. Reducing inactive administrative access lowers the attack surface and limits the potential impact of unauthorized actions.

Setting	Description	Default
ON/OFF (toggle)	Enable/disable the policy.	ON
Months Since Activity	Choose how many months since the last activity will trigger a violation.	Current setting
Ignore Application Business Priority for severity calculation (checkbox)	When enabled, severity is not adjusted based on application priority.	OFF
Audit log access	Grant Ox access to your source control platform's audit logs. This enables the detection of admin activity across all repositories. The access is required for Ox to accurately evaluate policies related to administrative functions.	Required

Outside collaborator not using 2FA

**Purpose**: Detects outside collaborators who have access to repositories without two-factor authentication (2FA) enabled. **Supported Source Control Managers:** * GitHub **Business impact:** Accounts without 2FA are more likely to be compromised through credential theft. A compromised outside collaborator can provide attackers with access to source code and repository functions. This increases the risk of unauthorized changes and supply chain attacks.

Setting

Description

Default

ON/OFF (toggle)

Enable/disable the policy.

Ignore Application Business Priority for severity calculation (checkbox)

When enabled, severity is not adjusted based on application priority.

Outside collaborator is a repo admin

**Purpose:** Detects repositories where an outside collaborator is assigned administrator-level permissions. **Supported Source Control Managers:** * GitHub * GitLab **Business impact:** Outside collaborators are not managed as internal users and their status may change without visibility. Administrative access allows full control over repository settings and code. A compromised external account can enable unauthorized changes and persistent access, increasing supply chain risk.

Setting

Description

Default

ON/OFF (toggle)

Enable/disable the policy.

Ignore Application Business Priority for severity calculation (checkbox)

When enabled, severity is not adjusted based on application priority.

OFF

Outside collaborator is a repo maintainer

**Purpose**: Detects repositories where an outside collaborator is assigned maintainer-level permissions. **Supported Source Control Managers:** * GitHub * GitLab **Business impact:** Outside collaborators are not governed by internal user controls and their status may change without notice. Maintainer access allows elevated control over repository settings and workflows. A compromised external account can introduce unauthorized changes and increase supply chain risk.

Setting

Description

Default

ON/OFF (toggle)

Enable/disable the policy.

Ignore Application Business Priority for severity calculation (checkbox)

When enabled, severity is not adjusted based on application priority.

OFF

Outside collaborator with no activity

**Purpose:** Detects outside collaborators who retain access to repositories without recent contribution activity. **Supported Source Control Managers:** * GitHub * GitLab **Business impact:** Inactive external access increases the risk of unnoticed account compromise. A compromised outside collaborator account can be used to introduce unauthorized changes. Removing unused access reduces the attack surface and limits potential impact.

Setting

Description

Default

ON/OFF (toggle)

Enable/disable the policy.

Months Since Activity

Choose how many months since the last activity will trigger a violation.

Current setting

Ignore Application Business Priority for severity calculation (checkbox)

When enabled, severity is not adjusted based on application priority.

OFF

Personal public repo detected

**Purpose:** Detects public personal repositories owned by organization members. **Supported Source Control Managers:** * GitHub * GitLab * Azure * Bitbucket Cloud **Business impact:** Public personal repositories may expose code copied from private organizational repositories. Sensitive logic or proprietary information can become publicly accessible. This increases the risk of data leakage and intellectual property loss.

Setting	Description	Default
ON/OFF (toggle)	Enable/disable the policy.	ON
Ignore User Repos Older Than (Months)	Ignores mentioning repos older than X Months.	Current setting
Users to report on	Determines the organization users to report on. Click to add.	Current setting
Monitor Time for Former Members (Months)	Stops evaluating former members who left the company after the selected months ago.	Current setting
Include Forked Public Repos (checkbox)	If the repo is forked (from another public repo by definition), then it is unlikely to contain proprietary data.	ON
Ignore Application Business Priority for severity calculation (checkbox)	When enabled, severity is not adjusted based on application priority.	OFF

Private repo fork detected

**Purpose:** Detects private personal repositories owned by organization members that may contain code copied or forked from organizational repositories. **Supported Source Control Managers:** * GitHub **Business impact:** Organizational code stored in personal repositories reduces visibility and governance. Sensitive or proprietary code may persist outside approved controls and processes. This increases the risk of data leakage, compliance gaps, and unmanaged code reuse, even without malicious intent.

Setting	Description	Default
ON/OFF (toggle)	Enable/disable the policy.	ON
Ignore User Repos Older Than (Months)	Ignores mentioning repos older than X Months.	Current setting
Users to report on	Determines the organization users to report on. Click to add.	Current setting
Monitor Time for Former Members (Months)	Stops evaluating former members who left the company after the selected months ago	Current setting
Ignore Application Business Priority for severity calculation (checkbox)	When enabled, severity is not adjusted based on application priority.	OFF

Private repo forking is enabled

**Purpose:** Detects organizations or repositories where forking of private repositories is allowed. **Supported Source Control Managers:** * GitHub **Business impact:** Forking private repositories can duplicate proprietary or confidential code outside organizational control. Forks may persist even after access is revoked, reducing visibility and governance. This increases the risk of data leakage and uncontrolled distribution of sensitive code.

Setting

Description

Default

ON/OFF (toggle)

Enable/disable the policy.

Ignore Application Business Priority for severity calculation (checkbox)

When enabled, severity is not adjusted based on application priority.

OFF

Ignore Business Priority Less Than

Ignore repos with Business Priority less than the number entered.

Current setting

Protected branch can be deleted by a non-admin

**Purpose:** Detects repositories where protected branches can be deleted by users without administrator privileges. **Supported Source Control Managers:** * GitHub * GitLab * Bitbucket Cloud **Business impact:** Allowing non-admin users to delete protected branches increases the risk of accidental or malicious deletion. Loss of critical branches can disrupt development, block deployments, and prevent artifact generation. Recovery may be difficult or impossible, leading to operational impact.

Setting	Description	Default
ON/OFF (toggle)	Enable/disable the policy.	ON
Repo Visibility (dropdown)	Determines if this policy applies to public repos, private repos or both.	Current setting
Ignore Business Priority Less Than	Ignore repos with Business Priority less than the number entered.	Current setting
Ignore Application Business Priority for severity calculation (checkbox)	When enabled, severity is not adjusted based on application priority.	OFF

Public repo detected

**Purpose:** Detects public personal repositories owned by organization members. **Supported Source Control Managers:** * GitHub * GitLab * Azure * Bitbucket Cloud **Business impact:** Public personal repositories may expose code copied from private organizational repositories. Proprietary logic or sensitive information can become publicly accessible. This increases the risk of data leakage and intellectual property loss.

Setting	Description	Default
ON/OFF (toggle)	Enable/disable the policy.	ON
Ignore User Repos Older Than (Months)	Ignores mentioning repos older than X Months.	Current setting
Users to report on	Determines the organization users to report on. Click to add.	Current setting
Monitor Time for Former Members (Months)	Stops evaluating former members who left the company after the selected months ago	Current setting
Include Forked Public Repos	If the repo is forked (from another public repo by definition), then it is unlikely to contain proprietary data.	ON
Ignore Application Business Priority for severity calculation (checkbox)	When enabled, severity is not adjusted based on application priority.	OFF

Repo admin with no admin activity

**Purpose:** Detects repository administrators, excluding organization or group owners, who retain admin access without recent administrative or development activity. **Supported Source Control Managers:** * GitHub * GitLab * Azure * Bitbucket Cloud **Business impact:** Inactive administrators retain the ability to delete repositories and manage user access. Accounts belonging to former employees or unused identities increase the risk of unnoticed compromise. Reducing inactive admin access lowers the attack surface and limits the potential impact of unauthorized actions.

Setting

Description

Default

ON/OFF (toggle)

Enable/disable the policy.

Months Since Activity

Choose how many months since the last activity will trigger a violation.

Current setting

Ignore Application Business Priority for severity calculation (checkbox)

When enabled, severity is not adjusted based on application priority.

OFF

Security policy file missing in repo

**Purpose:** Detects repositories that do not contain a security policy file. **Supported Source Control Managers:** * GitHub * GitLab * Azure * Bitbucket Cloud **Business impact:** Without a security policy, users may not know how to responsibly report vulnerabilities. This can delay disclosure or lead to public exposure of security issues. For public repositories, missing guidance increases the risk of unmanaged vulnerability handling and reputational damage.

Setting

Description

Default

ON/OFF (toggle)

Enable/disable the policy.

Repo Visibility (dropdown)

Determines if this policy applies to public repos, private repos or both.

Current setting

Ignore Application Business Priority for severity calculation (checkbox)

When enabled, severity is not adjusted based on application priority.

OFF

Single owner in org

**Purpose:** Detects organizations or groups that have only one owner account. **Supported Source Control Managers:** * GitHub * GitLab * Azure * Bitbucket Cloud **Business impact:** A single owner creates a single point of failure for administrative access. If the owner account becomes unavailable or compromised, critical management actions may be blocked. This increases operational risk and weakens the resilience of access controls.

Setting

Description

Default

ON/OFF (toggle)

Enable/disable the policy.

Min Users

No issue will be created if the number of users in the org or group is less than or equal to the entered value.

Current setting

Ignore Application Business Priority for severity calculation (checkbox)

When enabled, severity is not adjusted based on application priority.

OFF

Too many org owners

**Purpose:** Detects organizations or first-level groups where the number of owners or admins is disproportionately high. **Supported Source Control Managers:** * GitHub * GitLab * Azure * Bitbucket Cloud **Business impact:** Each owner or admin has broad authority over repositories and access controls. A larger set of privileged accounts increases the attack surface and impact of compromise. Reducing the number of owners improves security and limits potential damage from unauthorized actions.

Setting	Description	Default
ON/OFF (toggle)	Enable/disable the policy.	ON
Max Admins	Issue will be created if the number of admins is bigger than the entered value.	Current setting
Max Admin Percent	Issue will be created if the percentage of admins is bigger than the entered value.	Current setting
Ignore Application Business Priority for severity calculation (checkbox)	When enabled, severity is not adjusted based on application priority.	OFF

Too many repo admins

**Purpose:** Detects repositories with an excessive number of users assigned administrator privileges. **Supported Source Control Managers:** * GitHub * GitLab * Azure * Bitbucket Cloud * Requires Audit Log Access **Business impact:** Each repository admin has full control over settings and access management. A higher number of admin accounts increases the likelihood and impact of account compromise. Reducing admin roles limits the attack surface and potential damage from unauthorized actions.

Setting	Description	Default
ON/OFF (toggle)	Enable/disable the policy.	ON
Max Admins	Issue will be created if the number of admins is bigger than the entered value.	Current setting
Max Admin Percent	Issue will be created if the percentage of admins is bigger than the entered value.	Current setting
Ignore Owners	Choose if Org/Group owners who by default are repo admins will be ignored.	ON
Ignore Application Business Priority for severity calculation (checkbox)	When enabled, severity is not adjusted based on application priority.	OFF
Audit log access	Grant Ox access to your source control platform's audit logs. This enables the detection of admin activity across all repositories. The access is required for Ox to accurately evaluate policies related to administrative functions.	Required

Unarchived stale repo

Setting	Description	Default
ON/OFF (toggle)	Enable/disable the policy.	ON
Months Since Change	Choose a minimum number of months before a violation could occur	Current setting
Repo Type (dropdown)	Choose if the policy applies to private, public or all repo types.	Current setting
Ignore Application Business Priority for severity calculation (checkbox)	When enabled, severity is not adjusted based on application priority.	OFF

Unreviewed code change

**Purpose:** Detects code changes that were merged or pushed without meeting the minimum required number of reviews. **Supported Source Control Managers:** * GitHub * GitLab * Azure * Bitbucket Cloud **Business impact:** Unreviewed changes increase the likelihood of bugs or malicious code reaching production. Lack of review weakens a key control used to detect insecure or unintended changes. This elevates the risk of security incidents and downstream impact.

Setting	Description	Default
ON/OFF (toggle)	Enable/disable the policy.	ON
Reviews Required	Please specify the minimum number of reviewers per code push for the policy.	Current setting
Files Changed	Specify the minimum number of files changed for the policy.	Current setting
Ignore Older Code Changes (Months)	Specify the max number of months to find changes to evaluate	Current setting
Ignore File Types	Choose the file types that will not trigger a violation.	Current setting
Ignore Business Priority Less Than	Ignore repos with Business Priority less than the number entered.	Current setting
Ignore Admins & Owners	An admin will not trigger a violation.	Current setting
Dominant Language Percentage Min	A violation will not occur if dominant language percentage is lower than the value entered.	Current setting
Ignore Application Business Priority for severity calculation (checkbox)	When enabled, severity is not adjusted based on application priority.	OFF

Veteran developer review required

**Purpose:** Detects code changes made by infrequent contributors that are not reviewed by a designated veteran developer. **Supported Source Control Managers:** * GitHub * GitLab * Azure * Bitbucket Cloud **Business impact**: Infrequent contributors are more likely to introduce bugs or security vulnerabilities. Without review by an experienced maintainer, risky changes may reach production unnoticed. This increases the likelihood of security issues and unstable code entering critical branches.

Setting	Description	Default
ON/OFF (toggle)	Enable/disable the policy.	ON
Infrequent Developer (Max Code Changes)	Please specify the number of pushes or pull requests that define an infrequent developer (less than).	Current setting
Veteran Reviewer (Min Reviews)	Specify the number of reviews that define a veteran reviewer (greater than or equal to).	Current setting
Veteran Reviewer (Min Code Pushes)	Specify the number of pushes that define a veteran reviewer (greater than or equal to).	Current setting
Always a Veteran Reviewr	Users by name who will always be considered as veteran reviewers in the system. Click to add.	Current setting
Ignore Older Code Changes (Months)	Specify the max number of months to find changes to evaluate	Current setting
Ignore Business Priority Less Than	Ignore repos with Business Priority less than the number entered.	Current setting
Ignore File Types	Click to add.	Current setting
Ignore Admins & Owners	An admin will not trigger a violation.	Current setting
Ignore Application Business Priority for severity calculation (checkbox)	When enabled, severity is not adjusted based on application priority.	OFF

## View policy issues 1. Open the Active Issues page. 2. Use the **Category** filter and select the policy category to view related active issues. 3. Use the **Policy** filter to narrow the list to a specific policy. 4. Apply the Category and Policy filters separately or together, depending on how specific you want the results to be. 5. Use the search box to refine results, such as filtering by file name, keyword, or rule identifier. ## Create or save policy profiles When you change a policy’s severity, ON/OFF toggle or any other setting, you must save the current profile or create a new one. * To save the current profile, click **SAVE** in the page header. * To create a new profile, click **SAVE AS** in the page header. For instructions, see the section [Create or edit policy profiles ](https://open-2c.gitbook.com/url/preview/site_RHimt/~/revisions/esBak1HVuTgsCEeNbzHE/policies?theme=light#create-or-edit-policy-profiles)in the [Policies ](/ox-policies/policies.md)article. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.ox.security/ox-policies/cloud-context-policies-2.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.