Supplier-Scoped Policies

Policies now support a supplier scope alongside the existing component and attestation scopes. A supplier-scoped policy is evaluated once per supplier and receives the supplier metadata together with an aggregated list of vulnerabilities across all of the supplier's components.

This enables rules like:

• Flag suppliers whose components carry critical vulnerabilities above a severity threshold.
• Enforce that every supplier has been annotated with a contact or contract reference.
• Scope checks to specific namespaces for production vs. staging differentiation.

Supplier-scoped policies can be authored in Rego, JavaScript, or the Visual Builder. A built-in Supplier Vulnerability Threshold template is included to get started quickly.

Violations produced by supplier-scoped policies appear on the supplier detail page and in the violations table, with links back to the supplier.

For the full input schema and example code, see the Supplier Scoped Policies reference.