Manage Unified Application Security Policies through the tenant.
Navigate to policies
Navigate to → → →
The policy table displays all policies (out-of-the-box (OOTB) and custom).
Understanding the AppSec Policies inventory
The policies inventory provides a comprehensive view of all policy attributes, both visible and underlying, allowing you understand how each policy is defined, evaluated, and enforced across the system.
Visible attributes (default)
The following attributes display by default when the policy table loads.
Attribute | Description |
|---|---|
Name | The policy name. OOTB policies display a system-defined name; custom policies display the user-defined name |
Status | The policy status: Enabled (actively evaluating findings) or Disabled (not evaluating findings) |
Triggers | The enabled triggers for the policy (PR scan, CI scan, Periodic scan). Triggers display in shift-left order: PR scan (leftmost enforcement) before CI scan before Periodic scan |
Actions | The configured actions for each enabled trigger (Create Issue, Block PR, Report PR Comment, Block CI, Report CI) |
Conditions | The finding types and condition filters configured for the policy |
Scope | The asset scope: specific asset groups, asset type matching criteria, or all assets |
Issues Count | Total issues created by the policy. Displays both the cumulative total and the count from the last seven days |
Blocked PRs | Total pull requests blocked by the policy. Displays both the cumulative total and the count from the last seven days |
Blocked CI | Total CI pipelines blocked by the policy. Displays both the cumulative total and the count from the last seven days |
Last Triggered | The timestamp of the most recent policy evaluation that produced a match |
Created By | The user who created the policy. OOTB policies display System |
Modified By | The user who last modified the policy |
Hidden attributes (available via column picker)
The following attributes are not displayed by default. Select the attribute settings icon to enable these columns.
Attribute | Description | Use when |
|---|---|---|
Description | The user-defined description of the policy (maximum 500 characters) | Reviewing policy intent or purpose across a large policy inventory |
Policy Type | The policy type: Code Scanners, CI/CD Configuration Scanners, or Drift Detection Scanner | Filtering or sorting policies by enforcement category |
Finding Types | The specific finding types the policy evaluates (Vulnerabilities, Secrets, IaC Misconfigurations, Code Weaknesses, License Miscompliance, Operational Risk, CI/CD Risks, Drift, Malware) | Identifying which finding categories each policy covers to detect coverage gaps |
Grace Period | The configured grace period duration (1–365 days) before enforcement actions activate. Displays "None" when no grace period is configured | Auditing grace period alignment with organizational SLA targets by Urgency tier |
Created Date | The timestamp when the policy was created | Auditing policy creation history or identifying recently added policies |
Modified Date | The timestamp of the most recent policy modification | Tracking policy change frequency or identifying stale policies that have not been updated |
Policy ID | The unique system-generated identifier for the policy. Required for API operations | Referencing policies in API calls (GET /public_api/appsec/v1/policies/{policyId}) or automation scripts |
Custom/OOTB | Indicates whether the policy is a custom (user-created) policy or an out-of-the-box (system-defined) policy | Distinguishing between system-provided baseline policies and organization-specific custom policies |
Note
SBAC restricts table visibility. The policy table displays only policies scoped to assets within the user's assigned application boundary. Policies scoped to assets outside the user's SBAC scope are not visible