Policy Configuration
Define your rules of engagement, automate issue prioritization, and enforce global compliance.
~15mins estimatedThis lesson is designed to help you to set the 'rules of engagement' for security and legal compliance. You will learn how to create automated Security and License Policies that define which vulnerabilities are acceptable and which should trigger build failures or alerts.
Security policies are the engine of automated governance at Snyk. Instead of manually triaging thousands of vulnerabilities, policies allow Group Administrators to define global "If/Then" logic that automatically prioritizes or de-prioritizes issues across your entire organization. Whether you need to elevate the severity of a "Mature" exploit or silence the noise in internal development environments, policies ensure your teams are always focused on the risks that matter most.
To manage your global guardrails, navigate to the Group Overview level of the Snyk UI:
- Select the Organization dropdown in the sidebar
- Select your Group Overview
- Navigate to the Policies tab From here, you can modify the Snyk Default Security Policy to apply universal rules to every project in your fleet, or select Add New Policy to build a targeted automation.
Every policy rule is built on a simple, powerful conditional statement that acts as a filter for your vulnerability data.
- The "If" (Conditions): This defines which issues the policy targets. You can filter by exploit maturity, specific CWEs, CVEs, or unique Snyk IDs
- The "Then" (Actions): This defines the automated response. Snyk can automatically escalate the severity (e.g., turning a Medium into a Critical) or ignore the issue entirely based on your internal security standards
Policies are applied in two ways: by Organization (broad coverage) or by Project Attributes (precision based on environment or business criticality).
When a vulnerability meets the criteria of multiple policies, Snyk follows a strict Top-Down Precedence:
- Attribute-based policies always take precedence over Organization-based policies
- If two attribute policies conflict, the one highest on the list in the Policy Manager takes precedence
Now that you understand the logic behind security governance, use the following interactive demos to practice building rules and managing precedence.
- Demo #1: Designing Rule Logic (If/Then): Learn to automate the prioritization of mature exploits
- Demo #2: Strategic Governance & Precedence: Learn to apply rules across complex team structures and manage policy conflicts