search
githubEdit

Policy Management

Gomboc’s Policy Management controls which checks and remediations run on each workspace.

At a high level:

  • A Policy is a specific control like “Encryption At-Rest with Provider Managed Key”.

  • A Framework / Benchmark is a higher‑level grouping of policies (for example, CIS, NIST, PCI).

  • A Policy Set is a named bundle of policies that you can apply to one or more workspaces.

  • ORL (Open Remediation Language) is a domain specific language developed by Gomboc that evaluates policies on your code and acts as the execution engine for how those policies are enforced by detecting issues and generating deterministic fixes.

hashtag
How Policy Management Works

When you run a scan on a workspace:

  1. Choose policies using simple, high‑level criteria (categories, severity, frameworks).

  2. Gomboc looks at the Policy Sets attached to that workspace.

  3. It calculates the effective policies (the union of policies from those sets).

  4. It resolves those policies to the underlying rules.

  5. ORL runs the rules against your code to:

    • Detect issues

    • Apply deterministic fixes

hashtag
Explore Policy Management

Use the guides below to dive into each part of Policy Management.

hashtag
Policy Management Guides

Guide
Description

Policies & Frameworksarrow-up-right

Learn how Gomboc organizes individual policies. Understand the policy catalog, including filtering by severity, cloud provider, resource types, IaC tools, and categories, and how a single policy can map to multiple frameworks (e.g., CIS).

Policy Setsarrow-up-right

Learn how to bundle policies into named sets (for example, “Org Default Baseline”) and assign multiple Policy Sets per workspace. See how effective policies are computed and how updates to a Policy Set affect future scans.

ORL Overviewarrow-up-right

Understand what ORL (Open Remediation Language) is, how it relates to the Gomboc remediation process, and how ORL rules back the policies you see in the UI across different tools, resource types, and providers.

Custom Rules (up-coming soon...)

For advanced users who need organization‑specific controls. Learn how to author and publish your own ORL rules, map them to policies and frameworks, and surface them in the policy catalog so they can be included in Policy Sets.

PreviousWorkspacesNextPolicies & Frameworks

Last updated