Policies & Gates

Policies and Gates allow you to define security requirements and automatically enforce them across your software supply chain.

Understanding Policies vs Gates

Policies

Rules that evaluate your SBOMs and generate findings:

• Define acceptable risk thresholds
• Specify required security controls
• Can be advisory or blocking

Gates

Checkpoints that enforce policies:

• Block deployments when policies fail
• Integrate with CI/CD pipelines
• Require approvals for exceptions

Creating Policies

Policy Builder

1. Navigate to Settings → Policies
2. Click Create Policy
3. Define conditions using the visual builder or YAML
4. Set severity and actions
5. Save and enable

Policy Conditions

Policy Templates

Pre-built templates for common requirements:

• No Critical Vulnerabilities - Block critical CVEs
• License Compliance - Enforce approved licenses
• FedRAMP Ready - Federal compliance requirements
• EO 14028 Compliance - Executive Order requirements
• SLSA Level 2 - Supply chain attestations
• No Abandoned Packages - Block unmaintained dependencies

Gate Configuration

CI/CD Integration

Add gates to your pipeline:

# GitHub Actions
- name: Security Gate
  uses: safeguard-sh/gate-action@v1
  with:
    api-key: ${{ secrets.SAFEGUARD_API_KEY }}
    policy: production
    fail-on: critical

Gate Actions

When a gate fails:

Policy Exceptions

Requesting Exceptions

When a legitimate exception is needed:

1. Click Request Exception
2. Select the policy and finding
3. Provide business justification
4. Set expiration date
5. Submit for approval

Exception Workflow

1. Request created by developer
2. Notification sent to approvers
3. Approver reviews and decides
4. Exception granted or denied
5. Audit trail recorded

Compliance Reporting

Track policy compliance with reports:

• Compliance status by policy
• Exception history
• Violation trends
• Audit documentation