# About Policies Policies help organizations control risk across the supply chain and enforce security standards. When a policy detects a violation, OX creates an issue and links it to the relevant application, repository, or artifact.

## **Policy categories** Each policy category focuses on a different area of the organization’s supply chain, such as code, dependencies, pipelines, cloud posture, or artifacts. You can view the categories on the Policies page in the UI.

Policy Category	Description	Typical Critical issues
Git Posture	Checks repository configuration, access controls, branch protection rules, exposure settings, and overall repository security posture.	Public repo Weak branch protection
Code Security	Evaluates source code using static analysis and pattern detection (SAST). Identifies insecure coding patterns and vulnerabilities in source code before the application is built or deployed.	SAST issues Use of unapproved SaaS in code Code smell detections SQL Injection XML External Entity
Secret / PII Scan	Detects exposed secrets, credentials, and personal identifiable information in code, configuration files, and commit history.	API key leak Token in history Hard-coded secrets
Open Source Security	Uses Software Composition Analysis (SCA). Reviews open-source packages for common vulnerabilities and Exposures (CVEs) in open-source dependencies or base images	Critical CVEs
SBOM	Uses third party libraries with unapproved licensing, low health (i.e., outdated or unpopular libraries) and malicious behavior. Validates dependency and artifact metadata, including completeness, accuracy, and licensing compliance across the supply chain.	Disallowed license Missing metadata Malicious dependencies
Infrastructure as Code Scan	Checks IaC templates (Terraform, CloudFormation, Kubernetes YAML, Helm, etc.) for insecure defaults and misconfigurations.	Open security group Weak IAM role
CI/CD Posture	Evaluates CI/CD pipeline permissions, runner security, secret handling, and build isolation controls.	Insecure runner Poor secret handling
Security Tool Coverage	Confirms that required scanning tools and security controls are installed, configured, and active in the environment.	Missing scan Disabled tool
Container Security	Analyzes container images for vulnerabilities, embedded secrets, insecure configurations, and unsafe base images.	Vulnerable base image Embedded secrets
Dynamic App Security	Detects security issues found during runtime testing, including logic flaws, authentication failures, and exposed endpoints.	Auth bypass Logic flaw
API Security	Checks API configuration, authentication, authorization, and exposure settings to ensure safe API behavior.	Weak authorization Exposed endpoints
Artifact Integrity	Validates that build artifacts are authenticated, untampered, complete, and consistent with expected metadata.	Tampered artifact Missing signature
Cloud Security	Evaluates Cloud Asset Posture and Cloud Security Posture (CSPM).	Public bucket, exposed access key
Manual Upload	Analyzes manually uploaded issue files (CSV/SARIF).	Malware indicator Invalid metadata

## **Policy permissions**

Role	View	Edit
Admin
Policy Manager
Dev Manager / Security Champion
Developer
Read only

## **Edit policy settings** OX determines the policy severity by default, but you can change the severity or enable / disable the policy if your organization requires it.

**To change policy severity:** 1. Select the severity from the dropdown. 2. To save the change in the current profile, click **SAVE** in the page header. **To enable or disable a policy:** 1. Use the ON / OFF toggle. 2. To save the change in the current profile, click **SAVE** in the page header. {% hint style="info" %} If you want to save the changes **and** create a separate profile, see the section [Create or edit policy profiles](#create-or-edit-policy-profiles). {% endhint %} ## **Filter policy issues** 1. Open the Active Issues page. 2. Use the **Policy** filter to refine the list by category or specific policy. ## **Create or edit policy profiles** The Policies page has a default profile. You can create multiple profiles anḍ decide which profile you want to be the active profile. OX backs up the active profile only.

**To save changes to the current profile:** 1. Change either the severity and/or ON/OFF status on one or multiple policies. 2. From the page header, click **SAVE**. **To create a new profile:** * From the page header, click **SAVE AS**, name the profile, and choose whether to set it as the active profile.\

**To change the active profile:** 1. From the page header, open the **Select Profile** dropdown and select the profile you want to make active. 2. Activate the checkbox **Set as active profile**. When you return to the Policies page, the new active profile displays.\ ![](/files/5flJ3aaPkC4uImFJkCVG) **To view a non-active profile:** * Select the profile from the Select Profile dropdown. ## Policy best practices We recommend you: * Review issues regularly to identify non-compliant artifacts. * Enable only the policies your organization needs. * Adjust the OX policy severity only if you believe that the default severity does not reflect your organization’s risk policy. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.ox.security/ox-policies/policies.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.