Book a demo

About Policies

Policies help organizations control risk across the supply chain and enforce security standards. When a policy detects a violation, OX creates an issue and links it to the relevant application, repository, or artifact.

Policy categories

Each policy category focuses on a different area of the organization’s supply chain, such as code, dependencies, pipelines, cloud posture, or artifacts. You can view the categories on the Policies page in the UI.

Policy Category
Description
Typical Critical issues

Git Posture

Checks repository configuration, access controls, branch protection rules, exposure settings, and overall repository security posture.

Public repo

Weak branch protection

Code Security

Evaluates source code using static analysis and pattern detection (SAST).

Identifies insecure coding patterns and vulnerabilities in source code before the application is built or deployed.

SAST issues Use of unapproved SaaS in code Code smell detections SQL Injection

XML External Entity

Secret / PII Scan

Detects exposed secrets, credentials, and personal identifiable information in code, configuration files, and commit history.

API key leak Token in history Hard-coded secrets

Open Source Security

Uses Software Composition Analysis (SCA). Reviews open-source packages for common vulnerabilities and Exposures (CVEs) in open-source dependencies or base images

Critical CVEs

SBOM

Uses third party libraries with unapproved licensing, low health (i.e., outdated or unpopular libraries) and malicious behavior. Validates dependency and artifact metadata, including completeness, accuracy, and licensing compliance across the supply chain.

Disallowed license Missing metadata Malicious dependencies

Infrastructure as Code Scan

Checks IaC templates (Terraform, CloudFormation, Kubernetes YAML, Helm, etc.) for insecure defaults and misconfigurations.

Open security group Weak IAM role

CI/CD Posture

Evaluates CI/CD pipeline permissions, runner security, secret handling, and build isolation controls.

Insecure runner Poor secret handling

Security Tool Coverage

Confirms that required scanning tools and security controls are installed, configured, and active in the environment.

Missing scan

Disabled tool

Container Security

Analyzes container images for vulnerabilities, embedded secrets, insecure configurations, and unsafe base images.

Vulnerable base image Embedded secrets

Dynamic App Security

Detects security issues found during runtime testing, including logic flaws, authentication failures, and exposed endpoints.

Auth bypass

Logic flaw

API Security

Checks API configuration, authentication, authorization, and exposure settings to ensure safe API behavior.

Weak authorization

Exposed endpoints

Artifact Integrity

Validates that build artifacts are authenticated, untampered, complete, and consistent with expected metadata.

Tampered artifact

Missing signature

Cloud Security

Evaluates Cloud Asset Posture and Cloud Security Posture (CSPM).

Public bucket, exposed access key

Manual Upload

Analyzes manually uploaded issue files (CSV/SARIF).

Malware indicator

Invalid metadata

Policy permissions

Role
View
Edit

Admin

Policy Manager

Dev Manager / Security Champion

Developer

Read only

Edit policy settings

OX determines the policy severity by default, but you can change the severity or enable / disable the policy if your organization requires it.

To change policy severity:

  1. Select the severity from the dropdown.

  2. To save the change in the current profile, click SAVE in the page header.

To enable or disable a policy:

  1. Use the ON / OFF toggle.

  2. To save the change in the current profile, click SAVE in the page header.

If you want to save the changes and create a separate profile, see the section Create or edit policy profiles.

Filter policy issues

  1. Open the Active Issues page.

  2. Use the Policy filter to refine the list by category or specific policy.

Create or edit policy profiles

The Policies page has a default profile. You can create multiple profiles anḍ decide which profile you want to be the active profile. OX backs up the active profile only.

To save changes to the current profile:

  1. Change either the severity and/or ON/OFF status on one or multiple policies.

  2. From the page header, click SAVE.

To create a new profile:

  • From the page header, click SAVE AS, name the profile, and choose whether to set it as the active profile.

To change the active profile:

  1. From the page header, open the Select Profile dropdown and select the profile you want to make active.

  2. Activate the checkbox Set as active profile. When you return to the Policies page, the new active profile displays.

To view a non-active profile:

  • Select the profile from the Select Profile dropdown.

Policy best practices

We recommend you:

  • Review issues regularly to identify non-compliant artifacts.

  • Enable only the policies your organization needs.

  • Adjust the OX policy severity only if you believe that the default severity does not reflect your organization’s risk policy.

Last updated