PodArmor docs
Policy & Enforcement

Security Policy

Rules that define "compliant" for your fleet, graded live in the portal.

Open Portal → Policy. Your tenant has one policy; edit its rules and every licensed image is re-graded immediately.

Rules

RuleWhat it checks
Critical CVE ceilingFail an image with more than N critical CVEs
High CVE ceilingFail an image with more than N high CVEs
No known-exploited (KEV)Fail if any CVE is in CISA's Known Exploited Vulnerabilities catalog
EPSS capFail if any CVE's EPSS exploit-likelihood is at or above your threshold
Required hardeningRequire labels like non-root, no-suid, distroless, cis-compliant
No banned licensesFail if an application dependency carries a strong-copyleft or source-available license

Fixable vs. all

Each CVE-count rule has a counting mode:

  • fixable only (default) — count only CVEs with an available upstream fix. This is the honest default: an unfixable OS CVE isn't actionable, and counting it would make every image fail.
  • all — count residuals too, for a strict posture.

License scope

The banned-license rule is ecosystem-aware: it only alarms on copyleft/source-available licenses in your application dependencies (npm, pypi, Go modules…). GPL in the OS baseline (bash, busybox, coreutils) is expected and never flagged.

Results

The Results tab grades every image PASS / FAIL, expandable to per-rule detail with the exact offending CVEs or missing labels. From any failing finding you can click Exempt to accept it.

Exemptions

An exemption excludes a specific CVE from evaluation — the audit-friendly way to accept a documented residual. Each carries:

  • Scope — a single image, or all images
  • Reason — required, recorded for the audit trail
  • Approver — captured automatically (your identity)
  • Expiry — optional; the exemption lapses on its own

Exemptions apply everywhere the policy runs, including the admission controller.

Only tenant admins can edit the policy or manage exemptions. Everyone else sees the grades read-only.

On this page