# Security Policy

You can imagine this as a set of configuration mapped into a file. Each organization can have one or multiple groups, and each group have one configuration (Security policy) defined.

\
An example of a security policy is:

<pre class="language-json" data-title=".aquilax-policy.json" data-overflow="wrap" data-line-numbers><code class="lang-json">{
    "<a data-footnote-ref href="#user-content-fn-1">avatar</a>": "https://avatars.githubusercontent.com/u/155273638?s=200&#x26;v=4",
    "<a data-footnote-ref href="#user-content-fn-1">description</a>": "<a data-footnote-ref href="#user-content-fn-2">Example Policy for testing purposes</a>",
    "author": "AquilaX Core engineering Team",
    "testing": false,
    "<a data-footnote-ref href="#user-content-fn-3">notify_on_failure</a>": true,
    "jira_project_key": "SCRUM",
    "raise_tickets": true,
    "ticket_body": "Was found this {{vuln}} on this file {{file}}",
    "ticket_integration": "GitHub, GitLab, Jira",
    "ticket_title": "AquilaX - {{vuln}}",
    "<a data-footnote-ref href="#user-content-fn-4">tags</a>": [
        "all-scanners",
        "special-project"
    ],
    "<a data-footnote-ref href="#user-content-fn-5">frequency</a>": "<a data-footnote-ref href="#user-content-fn-6">weekly</a>",
    "<a data-footnote-ref href="#user-content-fn-7">ignore</a>":[
        "test/*",
        "node_modules/*",
        "tests/*"
    ],
    "scanners": [
        {
            "enforced": true,
            "compliance": true
        },
        {
            "<a data-footnote-ref href="#user-content-fn-8">enforced</a>": true,
            "secret": true
        },
        {
            "enforced": true,
            "pii": true
        },
        {
            "enforced": false,
            "sast": true
        },
        {
            "enforced": false,
            "sca": true,
              "licenses": {
                "mixed_licenses": true,
                "prohibited": [
                  "GPL*",
                  "BSD"
                ]
              },
        },
        {
            "enforced": false,
            "container": true
        },
        {
            "enforced": true,
            "iac": true
        },
        {
            "enforced": true,
            "api": true
        },
        {
            "enforced": true,
            "malware": true
        }
    ],
    "<a data-footnote-ref href="#user-content-fn-9">repos</a>": [
        "https://github.com/aquilax-ai"
    ]
}
</code></pre>

More information how to use ticketing <https://docs.aquilax.ai/user-manual/devtools/vulnerability-tickets>

[^1]: Used for reporting (optional)

[^2]: Optional

[^3]: Notify if something goes wrong

[^4]: simple tag system for reporting and categorization

[^5]: how often you want the repos in this group to be scanned (default==once)

[^6]: \["daily", "weekly", "monthly"]

[^7]: This a list of files and folders to be ignored by the scanners

[^8]: If present and true, then the downside groups or project have to accept this action, and cannot overwrite the decision.

[^9]: A list of groups or repos to be scanned


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.aquilax.ai/user-manual/security-policy.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.