The following table documents the implicit constraints that the Policy Type imposes on the scope step. The wizard automatically loads the correct table based on your initial selection to ensure users cannot scope policies to incompatible asset types
Policy type | Scope table | Scopes to |
|---|---|---|
Code scanners | APPLICATION_POLICIES_SCOPE | Code repositories and container images (image registries) Use this for vulnerabilities, secrets, SAST, and license compliance across the artifact lifecycle |
CI/CD Configuration scanners | APPLICATION_POLICIES_CICD_ONLY_SCOPE | CI/CD pipeline configurations and CI instances Use this to govern the security posture of the build infrastructure itself |
Drift Detection scanner | APPLICATION_POLICIES_SCOPE_WITH_CLOUD_ASSETS | Cloud assets and their associated IaC definitions Use this to identify discrepancies between your Terraform/CloudFormation code and live production environments |
RBAC vs. SBAC Logic
RBAC (Role-Based Access Control): Controls actions (such as who is allowed to create, edit, or delete a policy)
SBAC (Scope-Based Access Control): Controls data (which assets the policy evaluates and which issues the user is permitted to see)