This reference details how the Unified Policy engine handles multiple overlapping policies and how it calculates Urgency for the resulting issues.
Policy evaluation and multiple matching
When a single finding matches multiple active policies, the engine behavior depends on the specific category of the finding:
Finding Category | Includes these finding types | Matching behavior and resulting issues |
|---|---|---|
Code assets | SAST, SCA, IaC Misconfigurations, Secrets (Code), License, Operational Risk | Deduplicated: All actions execute once. One issue is created containing all matching Policy IDs and names |
Container Images | Vulnerabilities (Image), Secrets (Image), Malware | Independent: Each policy evaluates independently Multiple issues may be created (one per matching policy). Review scopes to minimize overlap |
Urgency calculation
Issues generated by policies receive an Urgency classification during the next periodic scan cycle Urgency supersedes static severity by incorporating real-world risk factors:
Deployment signals: Evaluates if the asset is Deployed, Internet Exposed, in a specific Application Environment (Production, Staging, Development), and its Business Criticality
Exploit intelligence: Combines EPSS scores, CISA KEV listings, and Reachability analysis
Calculation: Issues affecting deployed, internet-exposed, business-critical assets with active exploit intelligence receive Top Urgent or Urgent classifications Issues affecting non-deployed assets or development environments receive Not Urgent
Urgency Exclusions: The Urgency engine computes scores exclusively for specific code-based detection methods (Vulnerabilities, Secrets, IaC Misconfigurations, and Code Weaknesses) The following finding types do not receive an Urgency score and are prioritized by severity only:
License Issues and Operational Risks: These do not map to exploitable vulnerabilities with deployment-dependent risk profiles
CI/CD Risks and IaC Drift: These use periodic-only evaluation and do not participate in the Urgency engine
Container Image Findings: Malware, Image Vulnerabilities, and Image Secrets
Note
If code to cloud traceability is absent (the repository is not linked to a relevant application), the engine cannot compute deployment signals, and Urgency will display as Not Applicable
Prioritization guidance
Use the calculated Urgency level to drive your SLA enforcement and response strategies
Urgency level | Recommended response |
|---|---|
Top Urgent | Proactive: Create or update a prevention policy to block the vulnerability pattern at PR scan immediately Reactive: Upgrade the package or apply a compensating control within 24 hours Escalate to a Case if cross-team coordination is required |
Urgent | Proactive: Verify that a prevention policy exists for the finding type and severity If not, create one Reactive: Assign within the current sprint Upgrade to the fix version within the SLA window |
Not Urgent | Proactive: Ensure prevention policies cover the finding type for production-bound branches Reactive: Schedule for the next maintenance cycle Reassess if the deployment status or application criticality changes |
Not Applicable | Establish code to cloud traceability by linking the repository to the relevant application and verifying CI/CD pipeline integration Once traceability is established, the classification will be computed during the next periodic scan |