Policies
Last updated
Last updated
More information
Snyk privacy policy© 2024 Snyk Limited | All product and company names and logos are trademarks of their respective owners.
Feature availability
Policies are available for Enterprise plans and apply only to Snyk Open Source scans.
For more information, see Plans and pricing.
Note that the.snyk
file is a policy file that Snyk uses to define specific analysis behaviors for Open Source, Snyk Code, and Snyk IaC. and to specify patches for the CLI and CI/CD plugins. See The .snyk file for details.
Snyk policies contain rules to define how Snyk behaves when encountering specific types of Open Source issues. With policies, you can identify types of issues based on conditions, such as no exploit available
, and then apply actions to these issues, such as changing the severity. Thus by using customizable Snyk policies, you can define actions for specific types of issues encountered in scanning.
Using the Snyk Policy Manager, you can view, create, and edit policies. For details, see View, create, and modify policies.
Policies give you a quick and automated way to identify and triage issues that are irrelevant to or unimportant in your application development. This reduces the noise level, saving valuable development time and allowing developers to take more responsibility for and ownership of security.
Policies help prioritize issues to address and can ensure vulnerable or non-compliant components do not escape notice. Policies are part of the governance framework of your company.
For more information, see Use policies in the SDLC.
Snyk has security and license policies.
Security policies define Snyk behavior in treating vulnerabilities, for example, according to severity levels or ignored issues.
License policies define Snyk behavior in treating license issues, such as allowing or disallowing packages with certain license types and avoiding the use of packages containing incompatible licenses.
Different applications may need to be scanned according to different policies. Mission-critical applications are likely to need more control than internal applications in a sandbox environment. You can establish the needed control by assigning policies to:
Projects, after applying attributes to Projects and policies to attributes
Organizations in a Snyk Group