# Policy sets
### What is a Policy Set?
A **Policy Set** is a named bundle of policies that you can assign to one or more workspaces.
Instead of configuring each workspace one policy at a time, you:
* Define Policy Sets that represent your security, and operational goals.
* Reuse those sets across many workspaces.
* Combine multiple sets on the same workspace when needed.
***
### Core Concepts
You can:
* Attach the same Policy Set to many workspaces.
* Attach multiple Policy Sets to a single workspace.
For each workspace:
* **Effective policies** = union of policies from all attached Policy Sets.
***
### Why Use Policy Sets?
Policy Sets help you:
* Standardize policy across the organization
* Define the “Org Default Baseline” and apply it to all workspaces.
* Tailor policy by environment
* Use stricter policies for production, and other sets for development.
* Align with frameworks and business goals
* Create sets like:
* “CIS for AWS”
* “Cost Optimization”
* “High & Critical Security Only”
***
### Policy Set in Gomboc Portal
#### Open the Policy Sets Page
1. Go to Policy Sets page in the Gomboc portal.
2. Select the "**Default Policy Set"** (the default policy set is the prebuilt set for first-time setup).
3. See which policies are enabled in the **Active policies"** table.
4. Browse the bottom Gomboc policy library and add the ones you want to the Active policies table to enable this in the Default Policy Set
#### Create a New Policy Set
1. Click **Create Policy Set**.
2. Provide:
* **Name**
* **Description**\
Explain when to use this set and what it is optimized for:
* Target environments (prod, staging, dev).
* Risk tolerance (e.g., “only high/critical issues” vs “full CIS alignment”).
3. Assign to **Workspaces**
#### Add Policies to the Set
1. Use the **policy catalog** to choose which policies to include. You can:
* **Search by keyword**\
e.g., “Encryption”, “public access”, “Authentication”.
* **Filter by category**\
Security, compliance, reliability, cost optimization, operations, etc.
* **Filter by cloud provider / IaC tool/ code resource type**\
e.g., AWS, GCP, Azure, OCI / Terraform, CloudFormation / S3 bucket, kubernetes cluster
Select the policies you want and add them to the Policy Set.
#### Save the Policy Set
1. Click **Save**. Your new Policy Set is now available to run scans.
***
### How Multiple Policy Sets Interact
When you attach **multiple Policy Sets** to a workspace:
1. Gomboc collects the list of policies from each attached set.
2. It merges them into a single effective policy list:
* Policies are **de‑duplicated**.
3. At scan time, Gomboc:
* Resolves that effective policy list to the underlying rules.
* Executes those rules during the scan.
***
### What Happens at Scan Time?
When a workspace is scanned:
1. Gomboc calculates the effective policies:
* Looks up all Policy Sets attached to the workspace.
* Unions their policies.
2. Gomboc’s engine:
* Turns those policies into a set of underlying rules.
* Runs them against your code.
3. The scan report shows:
* Which Policy Sets those policies came from.
* Suggested fixes (where applicable).
***
### FAQ
Can I assign multiple Policy Sets to one workspace?
Yes. Workspaces support multiple Policy Sets. The effective policy list is the union of all policies in those sets.
What happens if the same policy is in more than one Policy Set?
It is applied once. Policy Sets are merged and de‑duplicated at scan time.
If I change a Policy Set, do I affect past scans?
No. Past scan results stay as they were. Future scans use the updated Policy Set definition.