Configuring Policies

Policies evaluate each newly uploaded SBOM against predefined risk criteria and notify designated recipients when policy conditions are met. This reduces time to detection for vulnerability and license compliance risks.

Policy configuration (admins only)

Go to Settings → Organization → Policies.
Enable and configure criteria to monitor under Conditions.
Add one or more email recipients under Action.
Click Save.

Note: Policy configurations are not automatically inherited by sub-organizations.

Scope: Policies apply to SBOMs uploaded after the policy is saved.

Recommended baselines

Product security: Vuln recommendation = Mitigate.

License compliance: License status = Forbidden or Review; License types include Copyleft/Copyleft Limited.

Best practices

Use team listservs for recipients (e.g., security@…); avoid individual email addresses.
Start with stricter thresholds and tune based on alert volume.

Updated 22 days ago