Advanced Configuration and Policies

Progress from basic scanning to policy-driven security enforcement. Define policies that reflect your risk tolerance and compliance requirements. Critical applications might block deployments for any high-severity vulnerability, while internal tools might only flag issues for tracking. Create policy hierarchies that inherit common rules while allowing application-specific overrides. This flexibility enables security standards that teams can actually meet.

// Example: SCA Policy Configuration
{
  "policies": {
    "production": {
      "severity": {
        "high": "block",
        "medium": "warn",
        "low": "monitor"
      },
      "licenses": {
        "forbidden": ["GPL-3.0", "AGPL-3.0"],
        "warning": ["LGPL-3.0"],
        "allowed": ["MIT", "Apache-2.0", "BSD-3-Clause"]
      },
      "age": {
        "maxDaysSinceLastUpdate": 365,
        "action": "warn"
      }
    }
  }
}

Implement gradual policy enforcement to prevent disrupting active development. Start by monitoring policy violations without blocking builds, giving teams time to understand and address issues. Gradually increase enforcement, beginning with new code before addressing technical debt. Use feature flags or pipeline parameters to enable different enforcement levels, allowing quick rollback if policies prove too restrictive.

Configure intelligent alerting to prevent notification fatigue. Route high-severity vulnerabilities in production-bound code to security teams immediately. Send medium-severity issues to development team channels for sprint planning. Aggregate low-severity findings into weekly reports. Use smart grouping to prevent duplicate alerts when the same vulnerability affects multiple projects. This targeted approach ensures important issues receive attention without overwhelming teams.