Create a policy - Administrator Guide - Cortex Cloud Posture Management - Cortex CLOUD

Cortex Cloud Application Security
Product
Cortex Cloud Posture Management
Cortex Cloud Application Security > Cortex CLOUD
Creation date
2025-01-22
Last date published
2026-05-31
Category
Administrator Guide

The policy creation wizard consists of five sequential steps: General, Conditions, Scope, Triggers & Actions, and Summary.

Step 1: General

Define the policy identity and type

  1. Select + Add Policy from the policy table.

  2. Enter a Policy Name (required). The name must be unique across all policies.

  3. Enter a Policy Description (optional).

  4. Select the Policy Type. Refer to Policy types for descriptions.

  5. Select Next.

Step 2: Conditions

Define the finding types and filters that determine which findings the policy matches

  1. Select one or more finding types.

    Refer to Finding types for the available options per policy type.

  2. Configure condition filters to narrow the scope.

    Refer to Condition Filters for the available filters per policy type.

  3. To add additional condition groups, select + Add Condition Group.

    Refer to Condition Filters for OR logic.

  4. For Vulnerabilities finding type, optionally configure a grace period.

    Refer to Reference E: Grace period logic and configuration for information about grace periods.

  5. Select Next.

Step 3: Scope

Define the asset boundaries for policy evaluation

  • Asset Groups: Select one or more pre-configured asset groups. If no asset groups are selected, the policy applies to all assets

  • Applications: Select specific applications to scope the policy (not applicable to Images)

Note

To create a new asset group or application, select the corresponding link in the scope step. The link opens the asset group or application configuration in a new tab

Refer to Scope for additional details.

Step 4: Triggers and actions

Configure when the policy evaluates findings and what actions to execute on matches

  1. Enable one or more triggers.

    Refer to Reference D: Trigger and actions mapping for additional information.

  2. Configure at least one action per enabled trigger.

  3. Optionally configure Override Issue Severity.

    Refer to Reference D: Trigger and actions mapping for additional information.

  4. Select Next.

Step 5: Summary

Review the complete policy configuration before saving.

The summary displays a structured If / When / Then table.

Column

Maps To

Description

If

Triggers

The SDLC stage and scan type that activates the policy

When

Conditions

The finding types and filters that must match

Then

Actions

The enforcement actions executed on matched findings

Row splitting logic

If a trigger supports only a subset of the selected finding types, the summary splits the row to display only the relevant finding types and their corresponding filters per trigger.

Example: If both Malware and IaC Misconfigurations are selected with both PR Scan and CI Scan triggers, the PR Scan row displays only IaC Misconfigurations (code-only), and the CI Scan row displays both IaC Misconfigurations and Malware.

The summary also displays:

  • General details: Policy name, description, and type

  • Editor details: Created by, created at, updated by, updated at

  • Select Save to create the policy. The policy is created and begins evaluating findings during the next scan cycle.

What happens next

  • Proactive (PR scan): When a developer opens a PR that introduces a finding matching the policy conditions, the policy blocks the PR from merging (if Block PR is configured). The developer receives a PR comment with the finding details and remediation guidance. The vulnerability never reaches the protected branch

  • Proactive (CI scan): When a CI pipeline builds an artifact containing a finding matching the policy conditions, the policy blocks the CI pipeline (if Block CI is configured). The vulnerable artifact is not deployed

  • Reactive (Periodic scan): During the next periodic scan, the policy engine evaluates all existing findings against the policy conditions. Matched findings generate issues in the AppSec Issues table. The Urgency engine classifies each issue based on Code-to-Cloud deployment context, exploit intelligence, and business criticality. Issues affecting deployed, internet-exposed, business-critical assets receive Top Urgent or Urgent classification. Prioritize remediation by Urgency level

AI recommendation-based policy creation

The Recommendations panel suggests policies based on scan findings and coverage gaps. Each recommendation identifies a finding pattern that is not covered by an existing policy.

  1. Select the AI Recommendations tab in the policies table view.

  2. Review the recommended policy configurations.

  3. Select Accept on a recommendation.

    Expected outcome: The policy wizard opens with the recommended configuration pre-populated.

  4. Review and modify the pre-populated configuration as needed.

  5. Select Save.

    Expected outcome: The policy is created with the recommended configuration.