Policy Configuration Reference

Threshold Levels

• Critical: blocks merge by default.
• High: configurable block or warn mode.
• Medium/Low: report-only by default unless explicitly escalated.
• Category Overrides: allows stricter handling for selected finding categories.

Scope And Inheritance

1. Org policy defines baseline defaults.
2. Repository policy may override allowed fields only.
3. Branch protection rules can enforce required checks independent of threshold.
4. Environment-specific policy applies at deploy/runtime verification stages.

Evaluation Precedence

1. Hard deny category controls (if configured)
2. Active, valid exemptions scoped to finding/repository/branch
3. Repository threshold policy
4. Organization baseline policy
5. Default platform behavior

Exemption Requirements

• Must include owner, justification, and expiry date.
• Must be scoped minimally (finding, repo, branch, or commit).
• Expired exemptions are ignored at evaluation time.
• All exemption use is retained in policy decision evidence.