Policies & Frameworks

What is a Policy?

In Gomboc, a policy is a single, named control that the platform can check and remediate. Each policy represents a set of code issues the platform looks for. It’s backed by one or more internal ORL rules that power detection and a deterministic fix.

Examples:

• “Encryption At-Rest with Provider Managed Key”

• “Deletion Protection”

• “Immutable Docker Image Tags”

Each policy has:

• Name and description – what it checks and why it matters.

• Severity - describes how impacted your business could be by ignoring the recommendation.

• Risk – combination operational effort and likelihood of failure by making the change.

• Category – security, reliability, operations, cost, etc.

• Framework/benchmark mappings – how it aligns to CIS, NIST CSF, PCI, SOC 2, internal frameworks, and so on.

• Scope over code and platforms – which code representations and platforms it applies to, including:

  • Code resource types

    • e.g., storage buckets, databases, load balancers, IAM roles, Kubernetes, etc.

  • Tools / IaC formats

    • e.g., Terraform, CloudFormation, Kubernetes, Helm, and other supported IaC or config formats.

  • Cloud providers / platforms

    • e.g., AWS, GCP, Azure, OCI, Kubernetes, and other supported environments.

When you activate a policy in the Policy Sets UI, you’re choosing:

• What should be enforced (the conceptual control),

• Across which tools, code types, and providers (as defined by that policy’s scope).