Policies
Define rules once and enforce them automatically across licenses, vulnerabilities, and quality.
1 min readUpdated Jul 15, 2026
Overview
The policy engine is how FOSSA turns your organization's standards into automatic, repeatable enforcement. Define a rule once and it applies across every project and scan.
What this covers
- Licensing policies: approve, flag, or deny licenses and license families, with full control over the rules that decide an outcome.
- Security policies: set thresholds for vulnerability severity and require remediation.
- SBOM policies: require specific fields and formats in the SBOMs you import.
- Time-based ignore rules: grant temporary exceptions that expire on their own.
Start here
- Create a licensing policy: the most common first policy, end to end.
- How licensing policy rules work: the model behind every policy decision.
Policies act on the data described in Licenses, Vulnerabilities, and Quality. To enforce them in your pipeline, see Integrations.