Security Policy
Rules that define "compliant" for your fleet, graded live in the portal.
Open Portal → Policy. Your tenant has one policy; edit its rules and every licensed image is re-graded immediately.
Rules
| Rule | What it checks |
|---|---|
| Critical CVE ceiling | Fail an image with more than N critical CVEs |
| High CVE ceiling | Fail an image with more than N high CVEs |
| No known-exploited (KEV) | Fail if any CVE is in CISA's Known Exploited Vulnerabilities catalog |
| EPSS cap | Fail if any CVE's EPSS exploit-likelihood is at or above your threshold |
| Required hardening | Require labels like non-root, no-suid, distroless, cis-compliant |
| No banned licenses | Fail if an application dependency carries a strong-copyleft or source-available license |
Fixable vs. all
Each CVE-count rule has a counting mode:
fixable only(default) — count only CVEs with an available upstream fix. This is the honest default: an unfixable OS CVE isn't actionable, and counting it would make every image fail.all— count residuals too, for a strict posture.
License scope
The banned-license rule is ecosystem-aware: it only alarms on copyleft/source-available licenses in your application dependencies (npm, pypi, Go modules…). GPL in the OS baseline (bash, busybox, coreutils) is expected and never flagged.
Results
The Results tab grades every image PASS / FAIL, expandable to per-rule detail with the exact offending CVEs or missing labels. From any failing finding you can click Exempt to accept it.
Exemptions
An exemption excludes a specific CVE from evaluation — the audit-friendly way to accept a documented residual. Each carries:
- Scope — a single image, or all images
- Reason — required, recorded for the audit trail
- Approver — captured automatically (your identity)
- Expiry — optional; the exemption lapses on its own
Exemptions apply everywhere the policy runs, including the admission controller.