Custom Security Policy
This release introduces scan-level custom security policies, allowing users to override group-level security configurations on a per-scan basis.
π― Key Features
1. Custom Security Policy Per Scan
Define custom security policies when starting a new scan
Override group-level policies for specific scanning requirements
Policy automatically preserved during rescans
2. Intelligent Policy Management
Workers prioritize custom policies over group defaults
All policies (custom and group) are normalized based on organization plan
Automatic policy inheritance for project rescans
3. Dual Editing Modes
Form Mode: User-friendly interface for common configurations
JSON Mode: Advanced editing with syntax validation
π¦ Changes Summary
Backend Changes
1. Scan Creation Endpoint (POST /api/v2/scan)
File: app/handlers/scan.go
Added
custom_security_policyparameter toRequestPayloadScanstructAccepts dynamic JSON object (
map[string]interface{})Conditionally stored in database only when provided
Request Schema:
2. Pending Scans API (GET /api/v2/admin/scans/pending)
File: app/handlers/scan_handler.go
Enhanced
CheckPendingScansfunction with conditional logicIf scan has
custom_security_policyβ use it assecurity_policyIf scan lacks custom policy β use group policy
Both policies are normalized based on organization plan
Behavior:
Custom policy exists
custom_security_policy
β Applied
No custom policy
Group's security_policy
β Applied
Important
Plan-Based Scanner Enforcement: All security policies (custom and group) are now normalized based on the organization's subscription plan. This ensures that even custom policies respect plan tier restrictions:
FREE: Only
compliance,secret,piiscannersPREMIUM: Adds
sast,sca,container,iac,apiULTIMATE: All scanners including
malware,vibe,securitron
3. Project Scans Endpoint (GET /api/v2/project/:project_id)
File: app/datastores/projects.go
Added
custom_security_policyto response projectionReturns custom policy in scan listings when available
Response Schema:
Frontend Changes
1. New Component: Scan Security Policy Modal
File: scan-security-policy-modal.tsx
Dedicated modal for customizing scan-level security policies
Toggle between Form and JSON editing modes
Real-time validation and syntax checking
Apply/Reset functionality
Features:
π Form editor for common configurations
π§ Advanced JSON editor with syntax highlighting
β Validation feedback
π Reset to group defaults
2. Enhanced: New Scan Modal
File: new-scan-modal.tsx
Additions:
"Custom Security Policy" button (bottom left)
Auto-fetch group security policy on modal open
Visual badge: "Custom Policy Applied" when customized
Passes
custom_security_policyto API payload
User Flow:
User clicks "Start Scan"
Optionally clicks "Custom Security Policy"
Customizes policy β Apply
Starts scan with custom configuration
3. Enhanced: Projects Component
File: projects-component.tsx
Modified Function: handleRescan()
Enhancements:
Fetches project's last scan via
ApiClient.getProject()Extracts
custom_security_policyfrom last scan (if present)Automatically passes it to rescan API
Rescan Behavior:
π User Workflows
Workflow 1: Create Scan with Custom Policy
Navigate to group β Click "Start Scan"
Fill in required fields (Git URI, endpoint, branch)
Click "Custom Security Policy" button
Customize scanners, thresholds, or other settings
Click "Apply" β Badge shows "Custom Policy Applied"
Start scan
Result: Scan runs with custom policy, bypassing group defaults.
Workflow 2: Rescan with Preserved Policy
Navigate to project with previous custom-policy scan
Click "Rescan"
System automatically fetches and applies last scan's custom policy
Result: Rescan maintains original custom configuration.
Workflow 3: Edit Custom Policy (JSON Mode)
Click "Custom Security Policy" β Toggle to "JSON" tab
Edit raw JSON configuration
Validate syntax in real-time
Apply changes
Result: Advanced users can define complex custom policies.
π API Integration
Request Format
Response
π‘οΈ Technical Details
Database Schema
Custom policies are stored in the scans collection:
Worker Integration
Workers receive enriched scan documents from /api/v2/admin/scans/pending:
β
Benefits
Flexibility
Different policies for different projects/scenarios
Consistency
Rescans preserve original configurations
Control
Fine-grained security policy management
Efficiency
No need to modify group policies temporarily
Transparency
Custom policies visible in scan metadata
Security
Plan-based enforcement ensures compliance with subscription tiers
π§ Migration Notes
Backward Compatible: Existing scans without custom policies continue using group policies
No Breaking Changes: All existing API contracts maintained
Optional Feature: Custom policies are opt-in; default behavior unchanged
π Files Modified
Backend
app/handlers/scan.go- Scan creation with custom policy supportapp/handlers/scan_handler.go- Pending scans with policy prioritizationapp/datastores/projects.go- Project scans with custom policy in response
Frontend
scan-security-policy-modal.tsx- New custom policy editor modalnew-scan-modal.tsx- Custom policy integration for new scansprojects-component.tsx- Rescan with preserved custom policies
π Future Enhancements
Policy templates library
Policy versioning and history
Audit logging for policy changes
Policy validation rules engine
Release Date: 2026-02-09 Status: β Production Ready
Last updated