Security Policies

Create and configure security policies that control which vulnerabilities FOSSA flags as issues across your projects.

5 min readUpdated Jul 9, 2026

Enterprise feature

Available on: Business, Enterprise.

Rule configuration (Severity Filter, CWE rules, CVE rules) requires a paid plan; policy creation and title management are available on all plans.

Overview

A security policy defines which vulnerabilities FOSSA raises as issues. You set a severity threshold, suppress false positives with allow rules, and force-flag specific weaknesses with deny rules. Once configured, a policy can be set as the organization default or applied to individual projects.

How security policies work

When FOSSA scans a project, the issue scanner evaluates each detected vulnerability against the active security policy. The policy holds five independent rule types:

Rule typeWhat it does
Severity FilterSets a minimum CVSS severity level (Low / Medium / High / Critical) or a minimum CVSS score (0–10). Vulnerabilities below the threshold are not flagged. Vulnerabilities with unknown severity are always included regardless of this setting.
CWE Allow RulesSuppresses vulnerabilities that are associated with any listed CWE. If a vulnerability matches any one of the listed CWEs, it is never flagged.
CWE Deny RulesForce-flags vulnerabilities that are associated with any listed CWE, even if they fall below the severity threshold.
CVE Allow RulesSuppresses specific CVEs by identifier. Listed CVEs are never flagged.
CVE Filter RulesControls whether vulnerabilities with a Disputed CVE status appear in issues and reports. Disputed CVEs are hidden by default; enabling Show Disputed CVEs makes them visible.

Note

For CWE Allow and Deny Rules, each entry is evaluated independently. A vulnerability is affected by the rule if it matches any one of the listed CWEs, not all of them.

Note

Avoid suppressing vulnerability categories at the policy level unless you have a specific reason to. FOSSA recommends using the Issue Inbox and its filters to triage unwanted issues so that all vulnerabilities remain captured in your data.

Creating a security policy

  1. 1

    Open the Policies page

    Navigate to Policies in the top navigation, then select the Security tab.

    Security tab of the Policies page
  2. 2

    Create the policy

    Click Create Policy. In the dialog that appears, confirm Type is set to Security, enter a Title and optional Description, then click Submit.

    Create New Policy dialog

The policy is created with no rules configured. Proceed to Configuring policy rules to define thresholds.

Configuring policy rules

  1. 1

    Open the policy

    Navigate to Policies > Security and click the policy you want to edit.

    Security Policy configuration screen
  2. 2

    Configure each rule section

    Update the Severity Filter, CWE Allow Rules, CWE Deny Rules, CVE Allow Rules, and CVE Filter Rules sections to match your requirements. See the rule type reference above for details on each.

  3. 3

    Save

    Click Save at the top of the page to apply all changes.

Setting the organization default

The organization default policy applies to all projects that have not been assigned a specific policy.

  1. 1

    Open Settings

    Click your username in the top-right corner and select Settings.

    User settings dropdown
  2. 2

    Navigate to Issue Policies

    Go to Organization > Projects > Issue Policies.

    Organization Issue Policies settings page
  3. 3

    Assign the default policy

    Under Security, click the Default security policy dropdown, select your policy, then click Save.

    Default security policy dropdown
  4. 4

    Propagate to existing projects (optional)

    To push the new default to projects already in use, click Propagate settings…, select which settings to propagate, then click Propagate settings.

Applying a policy to a project

  1. 1

    Open project settings

    Go to your project list, select the project, then navigate to Settings > Issue Policies.

    Project Issue Policies settings
  2. 2

    Assign the policy

    Under Security, click the Default security policy dropdown, select a policy, then click Save.

  3. 3

    Run a new scan

    Trigger a new scan on the project. The updated policy applies to issues generated by the next completed scan.

Editing a policy title

  1. 1

    Find the policy

    Navigate to Policies > Security and hover over the policy you want to rename. Click the pencil icon that appears.

    Pencil icon on hover
  2. 2

    Save

    Update the Title and Description in the dialog, then click Submit.

    Edit Security Policy dialog

Deleting a policy

  1. 1

    Find the policy

    Navigate to Policies > Security and hover over the policy you want to delete. Click the red X icon that appears.

    Delete icon on hover
  2. 2

    Confirm

    In the confirmation dialog, click Confirm.

    Confirm Policy Deletion dialog

Warning

Deleting a policy cannot be undone. Projects assigned to the deleted policy fall back to the organization default.

What's next

© 2026 FOSSA, Inc.support@fossa.com