Policy Engine

Enforce security policies with configurable severity thresholds and actions. Block, warn, or allow vulnerabilities based on your organization's requirements.

How It Works

The Policy Engine evaluates scan results against defined policies and returns:

Block - Fail the build/request
Warn - Log warning, continue
Allow - No action

builder.Services.AddPrimusSecurity(opts =>
{
    opts.EnablePolicyValidation = true;
    opts.FailOnCritical = true;  // Block on critical findings
});

Policy Configuration

Basic Configuration

{
  "PrimusSecurity": {
    "EnablePolicyValidation": true,
    "FailOnCritical": true,
    "MaxCriticalFindings": 0,
    "MaxHighFindings": 5,
    "MinimumSeverity": "Medium"
  }
}

Advanced Policy

var policy = new SecurityPolicy
{
    Name = "Production Security Policy",
    MinimumSeverity = SecuritySeverity.Medium,
    MaxCriticalFindings = 0,
    MaxHighFindings = 0,
    BlockOnCategories = new[] { "Secrets", "Injection" },
    AllowedCves = new[] { "CVE-2021-accepted-risk" }
};

var engine = new PolicyEngine();
var result = engine.Evaluate(scanResult.Findings, policy);

if (result.Action == PolicyAction.Block)
{
    throw new SecurityPolicyViolationException(result.Violations);
}

API Usage

Validate Policy

[HttpPost("validate-policy")]
public IActionResult ValidatePolicy([FromBody] ValidatePolicyRequest request)
{
    var findings = request.Findings.Select(f => new SecurityFinding
    {
        Severity = ParseSeverity(f.Severity),
        Title = f.Title,
        CvssScore = f.CvssScore
    });

    var result = _policyEngine.Evaluate(findings, new SecurityPolicy
    {
        MaxCriticalFindings = request.MaxCriticalFindings,
        MaxHighFindings = request.MaxHighFindings
    });

    return Ok(new
    {
        Passed = result.Action != PolicyAction.Block,
        Action = result.Action.ToString(),
        Violations = result.Violations
    });
}

Request

{
  "findings": [
    { "severity": "critical", "title": "Hardcoded AWS Key", "cvssScore": 9.8 },
    { "severity": "high", "title": "SQL Injection", "cvssScore": 7.5 }
  ],
  "maxCriticalFindings": 0,
  "maxHighFindings": 5
}

Response

{
  "passed": false,
  "action": "Block",
  "violations": [
    {
      "rule": "MaxCriticalFindings",
      "description": "Critical findings exceed threshold",
      "threshold": "0",
      "actual": "1"
    }
  ]
}

Policy Actions

Action	Behavior
Block	Fail the build, return error
Warn	Log warning, allow to continue
Allow	No action taken

Threshold Configuration

Setting	Description	Default
`MaxCriticalFindings`	Max allowed critical issues	0
`MaxHighFindings`	Max allowed high issues	5
`MinimumSeverity`	Ignore findings below this	Medium
`BlockOnCategories`	Always block these categories	[]
`AllowedCves`	Accepted risk CVEs	[]

Integration with CI/CD

# In your CI pipeline
dotnet run --project SecurityScanner -- --policy strict

# Exit code 1 = policy violation (fail build)
# Exit code 0 = policy passed

Next Steps

Want to...	See Guide
Generate compliance reports	Enterprise Reporting
Add to CI/CD pipeline	CI/CD Integration
Configure secret patterns	Secret Detection

How It Works​

Policy Configuration​

Basic Configuration​

Advanced Policy​

API Usage​

Validate Policy​

Request​

Response​

Policy Actions​

Threshold Configuration​

Integration with CI/CD​

Next Steps​