• Browse topics
Login
Login

SNYK LEARN LOGIN

OTHER REGIONS

For Snyk Enterprise customers with regional contracts. More info

Policy Configuration

Define your rules of engagement, automate issue prioritization, and enforce global compliance.

~15mins estimated

Introduction

This lesson is designed to help you to set the 'rules of engagement' for security and legal compliance. You will learn how to create automated Security and License Policies that define which vulnerabilities are acceptable and which should trigger build failures or alerts.

Security policies are the engine of automated governance at Snyk. Instead of manually triaging thousands of vulnerabilities, policies allow Group Administrators to define global "If/Then" logic that automatically prioritizes or de-prioritizes issues across your entire organization. Whether you need to elevate the severity of a "Mature" exploit or silence the noise in internal development environments, policies ensure your teams are always focused on the risks that matter most.

INFO

Snyk Policy Manager

Snyk Policy Manager is available on Snyk Enterprise plans.

Accessing Policy Manager

To manage your global guardrails, navigate to the Group Overview level of the Snyk UI:

  1. Select the Organization dropdown in the sidebar
  2. Select your Group Overview
  3. Navigate to the Policies tab From here, you can modify the Snyk Default Security Policy to apply universal rules to every project in your fleet, or select Add New Policy to build a targeted automation.

The Anatomy of a Policy: If/Then Logic

Every policy rule is built on a simple, powerful conditional statement that acts as a filter for your vulnerability data.

  • The "If" (Conditions): This defines which issues the policy targets. You can filter by exploit maturity, specific CWEs, CVEs, or unique Snyk IDs
  • The "Then" (Actions): This defines the automated response. Snyk can automatically escalate the severity (e.g., turning a Medium into a Critical) or ignore the issue entirely based on your internal security standards

Scan your code & stay secure with Snyk - for FREE!

Did you know you can use Snyk for free to verify that your code
doesn't include this or other vulnerabilities?

Scan your code

Application & Precedence

Policies are applied in two ways: by Organization (broad coverage) or by Project Attributes (precision based on environment or business criticality).

When a vulnerability meets the criteria of multiple policies, Snyk follows a strict Top-Down Precedence:

  1. Attribute-based policies always take precedence over Organization-based policies
  2. If two attribute policies conflict, the one highest on the list in the Policy Manager takes precedence

Now that you understand the logic behind security governance, use the following interactive demos to practice building rules and managing precedence.

  1. Demo #1: Designing Rule Logic (If/Then): Learn to automate the prioritization of mature exploits
  2. Demo #2: Strategic Governance & Precedence: Learn to apply rules across complex team structures and manage policy conflicts

Congratulations

Congrats! You have successfully established your organization's "rules of engagement" by automating Security and License Policies. You now know how to apply If/Then logic and top-down precedence to ensure your developers automatically focus only on the risks that matter most. Now that your governance rules are set, the final step in your initial rollout path is learning how to standardize team access and manage user onboarding.