# Policy sets

### What is a Policy Set?

A **Policy Set** is a named bundle of policies that you can assign to one or more workspaces.

Instead of configuring each workspace one policy at a time, you:

* Define Policy Sets that represent your security, and operational goals.
* Reuse those sets across many workspaces.
* Combine multiple sets on the same workspace when needed.

***

### Core Concepts

You can:

* Attach the same Policy Set to many workspaces.
* Attach multiple Policy Sets to a single workspace.

For each workspace:

* **Effective policies** = union of policies from all attached Policy Sets.

***

### Why Use Policy Sets?

Policy Sets help you:

* Standardize policy across the organization
  * Define the “Org Default Baseline” and apply it to all workspaces.
* Tailor policy by environment
  * Use stricter policies for production, and other sets for development.
* Align with frameworks and business goals
  * Create sets like:
    * “CIS for AWS”
    * “Cost Optimization”
    * “High & Critical Security Only”

***

### Policy Set in Gomboc Portal

#### Open the Policy Sets Page

1. Go to Policy Sets page in the Gomboc portal.
2. Select the "**Default Policy Set"** (the default policy set is the prebuilt set for first-time setup).
3. See which policies are enabled in the **Active policies"** table. 
4. Browse the bottom Gomboc policy library and add the ones you want to the Active policies table to enable this in the Default Policy Set

#### Create a New Policy Set

1. Click **Create Policy Set**.
2. Provide:
   * **Name**
   * **Description**\
     Explain when to use this set and what it is optimized for:
     * Target environments (prod, staging, dev).
     * Risk tolerance (e.g., “only high/critical issues” vs “full CIS alignment”).
3. Assign to **Workspaces**

#### Add Policies to the Set

1. Use the **policy catalog** to choose which policies to include. You can:

* **Search by keyword**\
  e.g., “Encryption”, “public access”, “Authentication”.
* **Filter by category**\
  Security, compliance, reliability, cost optimization, operations, etc.
* **Filter by cloud provider / IaC tool/ code resource type**\
  e.g., AWS, GCP, Azure, OCI / Terraform, CloudFormation / S3 bucket, kubernetes cluster

Select the policies you want and add them to the Policy Set.

#### Save the Policy Set

1. Click **Save**. Your new Policy Set is now available to run scans.

***

### How Multiple Policy Sets Interact

When you attach **multiple Policy Sets** to a workspace:

1. Gomboc collects the list of policies from each attached set.
2. It merges them into a single effective policy list:
   * Policies are **de‑duplicated**.
3. At scan time, Gomboc:
   * Resolves that effective policy list to the underlying rules.
   * Executes those rules during the scan.

***

### What Happens at Scan Time?

When a workspace is scanned:

1. Gomboc calculates the effective policies:
   * Looks up all Policy Sets attached to the workspace.
   * Unions their policies.
2. Gomboc’s engine:
   * Turns those policies into a set of underlying rules.
   * Runs them against your code.
3. The scan report shows:
   * Which Policy Sets those policies came from.
   * Suggested fixes (where applicable).

***

### FAQ

<details>

<summary>Can I assign multiple Policy Sets to one workspace?</summary>

Yes. Workspaces support multiple Policy Sets. The effective policy list is the union of all policies in those sets.

</details>

<details>

<summary>What happens if the same policy is in more than one Policy Set?</summary>

It is applied once. Policy Sets are merged and de‑duplicated at scan time.

</details>

<details>

<summary>If I change a Policy Set, do I affect past scans?</summary>

No. Past scan results stay as they were. Future scans use the updated Policy Set definition.

</details>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.gomboc.ai/policy-management/policy-sets.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.