Supplier Scoped Policies
Detailed input documentation for Supplier Scoped Policies
This reference describes the JSON payload passed to Rego, Visual Builder, and JavaScript policies. It complements the conceptual overview with field-level details so you can validate policies or mock equivalent data in tests.
For step-by-step authoring guidance, see Write and test policies.
Policy input updates in progress
We're expanding the policy input to support broader supply-chain context and lifecycle metadata.
Policy Inputs
Supplier scoped policies are called per supplier (SBOM) with the supplier and vulnerabilities fields populated.
{
supplier: { ... },
vulnerabilities: [ ... ],
namespace: { tenantId, space }
}Typescript types
The following type definitions describe the input the policies receive. Note that not all fields are necessarily populated.
// this is the top-level object that is passed to the policy
type PolicyInputType = {
namespace?: Namespace;
supplier?: Supplier;
raw?: any; // raw JSON contents for the attestation
};
type Namespace = {
tenantId: OrganizationId;
space: string;
};
type Supplier = {
id?: SupplierId;
name: string;
type: SupplierType;
address?: OrganizationalPostalAddress;
url?: string[];
contact?: OrganizationalContact[];
createdAt?: string;
updatedAt?: string;
annotation?: SupplierAnnotation;
};
type SupplierAnnotation = {
id?: SupplierId;
displayName?: string;
url?: string;
contact?: OrganizationalContact;
address?: OrganizationalPostalAddress;
lei?: string;
vat?: string;
eori?: string;
euid?: string;
brn?: string;
internalId?: string;
cpeVendor?: string;
duns?: string;
uei?: string;
cage?: string;
gln?: string;
iso6523?: string;
notes: string;
properties?: Record<string, string>;
tags?: string[];
createdAt?: string;
updatedAt?: string;
};
type OrganizationalContact = {
name?: string;
email?: string;
phone?: string;
};
type OrganizationalPostalAddress = {
country?: string;
region?: string;
locality?: string;
postOfficeBoxNumber?: string;
postalCode?: string;
streetAddress?: string;
};
type Vulnerability = {
id: VulnerabilityId;
component: ComponentRef;
advisoryId: string;
severity: number;
vendorId: string;
epss: number;
vex?: VulnerabilityAnalysis;
};
type VulnerabilityAnalysis = {
id: VulnerabilityAnalysisId;
vulnerability: string; // vendor id CVE-2019-1234 etc
affects?: ComponentRef[];
state?: ImpactAnalysisState;
justification?: ImpactAnalysisJustification;
response?: ImpactAnalysisResponse[];
details?: string;
author?: UserId;
issueOwner?: UserId;
attestations?: string[]; // sha256
externalReferences?: string[]; // links etc
published: string;
createdAt: string;
updatedAt: string;
};
type OrganizationId = string;
type SupplierId = string;
type SupplierType = "ORGANIZATION" | "PERSON";
type ImpactAnalysisResponse =
| "can_not_fix"
| "will_not_fix"
| "update"
| "rollback"
| "workaround_available";
type ImpactAnalysisState =
| "resolved"
| "resolved_with_pedigree"
| "exploitable"
| "in_triage"
| "false_positive"
| "not_affected";
type ImpactAnalysisJustification =
| "code_not_present"
| "code_not_reachable"
| "requires_configuration"
| "requires_dependency"
| "requires_environment"
| "protected_by_compiler"
| "protected_at_runtime"
| "protected_at_perimeter"
| "protected_by_mitigating_control";Example Policy
/*
* Evaluates once per supplier. Flags suppliers whose components have critical vulnerabilities (severity >= 9).
*/
const SEVERITY_THRESHOLD = 9;
function Policy({supplier, vulnerabilities}) {
if (!vulnerabilities || vulnerabilities.length === 0) {
return null;
}
const criticalVulns = vulnerabilities.filter(v => v.severity >= SEVERITY_THRESHOLD);
if (criticalVulns.length === 0) {
return null;
}
return [{
severity: Math.max(...criticalVulns.map(v => v.severity)),
message: `Supplier has ${criticalVulns.length} critical vulnerabilities (severity >= ${SEVERITY_THRESHOLD})`,
}];
}Usage tips
- Store sample input files alongside policy unit tests to avoid regressions.
- Scope rules to
namespace.spaceto differentiate production, staging, and customer-dedicated spaces.
Related policy guides
- Dive into the policy authoring guide to see how this payload shows up in Visual Builder, Rego, and JavaScript policies.
- Review Policies & Evaluations for the lifecycle of policy runs, violations, and remediations.
- Learn how to enforce policies in CI/CD once your rules are ready for automated gates.