Summary
Add a Security Policy Engine that allows users to define custom security rules and compliance thresholds which PatchPilot evaluates automatically after each scan.
Motivation
Currently PatchPilot reports findings, severities, and remediation suggestions, but organizations often have internal security policies that determine whether a build, release, or repository should be considered compliant.
For example, one organization may allow up to five High severity findings, while another may block deployment if even a single Critical finding exists. Users currently have to manually review scan results and determine compliance, which is time-consuming and error-prone.
A built-in Security Policy Engine would allow teams to codify these requirements and automatically evaluate scan results against them, making PatchPilot more suitable for real-world security workflows and compliance programs.
Proposed solution
Introduce support for user-defined security policies that can be uploaded or configured through PatchPilot.
Example policy:
block_if:
critical > 0
warn_if:
high > 5
allow_if:
medium < 20
Backend
- Add policy parsing and validation service.
- Evaluate findings against configured rules after each scan.
- Generate policy evaluation results.
- Include policy status in Evidence Packs.
Frontend
- Add a Policy Management section.
- Allow users to upload, edit, and validate policy files.
- Display policy evaluation status after scans.
Output
Example:
{
"policy_status": "FAILED",
"reason": "Critical findings exceed allowed threshold",
"violations": [
{
"rule": "critical > 0",
"actual": 2
}
]
}Evidence Pack Integration
Add:
policy-evaluation.json
policy-summary.txt
to exported compliance evidence bundles.
ML tier (if applicable)
Alternatives considered
-
Hard-code severity thresholds globally.
- Rejected because different organizations have different security requirements.
-
Perform compliance checks outside PatchPilot.
- Rejected because users would still need to manually interpret scan results and maintain separate tooling.
-
Support only pass/fail severity checks.
- Rejected because future policy rules may require more flexibility and customization.
Acceptance criteria
Additional context
This feature would move PatchPilot closer to enterprise security platforms by enabling policy-driven security governance and compliance enforcement. It also lays the foundation for future integrations with CI/CD quality gates and organization-wide compliance controls.
Summary
Add a Security Policy Engine that allows users to define custom security rules and compliance thresholds which PatchPilot evaluates automatically after each scan.
Motivation
Currently PatchPilot reports findings, severities, and remediation suggestions, but organizations often have internal security policies that determine whether a build, release, or repository should be considered compliant.
For example, one organization may allow up to five High severity findings, while another may block deployment if even a single Critical finding exists. Users currently have to manually review scan results and determine compliance, which is time-consuming and error-prone.
A built-in Security Policy Engine would allow teams to codify these requirements and automatically evaluate scan results against them, making PatchPilot more suitable for real-world security workflows and compliance programs.
Proposed solution
Introduce support for user-defined security policies that can be uploaded or configured through PatchPilot.
Example policy:
Backend
Frontend
Output
Example:
{ "policy_status": "FAILED", "reason": "Critical findings exceed allowed threshold", "violations": [ { "rule": "critical > 0", "actual": 2 } ] }Evidence Pack Integration
Add:
to exported compliance evidence bundles.
ML tier (if applicable)
Alternatives considered
Hard-code severity thresholds globally.
Perform compliance checks outside PatchPilot.
Support only pass/fail severity checks.
Acceptance criteria
Additional context
This feature would move PatchPilot closer to enterprise security platforms by enabling policy-driven security governance and compliance enforcement. It also lays the foundation for future integrations with CI/CD quality gates and organization-wide compliance controls.