Default Thresholds
| Policy | Default Value | Description |
|---|---|---|
| Minimum Scorecard | 5.0 | Packages with an OpenSSF Scorecard below this score are blocked |
| Review Scorecard | 8.0 | Packages scoring between min and this value are flagged for review |
| Max Known Vulnerabilities | 5 | Block packages with more than this many known CVEs |
| Block on Critical Vulnerability | Enabled | Immediately block packages with critical-severity CVEs |
| Require Provenance | Disabled | Require SLSA provenance for packages |
| Allow Provenance Fallback | Enabled | Allow installation if provenance can’t be verified |
| Review New Packages | 30 days | Flag packages published less than 30 days ago |
Adjusting Thresholds
Navigate to the policy configuration in the dashboard to modify these values. Example: Stricter thresholds for a security-conscious team:| Policy | Value |
|---|---|
| Minimum Scorecard | 7.0 |
| Review Scorecard | 9.0 |
| Max Known Vulnerabilities | 0 |
| Block on Critical Vulnerability | Enabled |
| Review New Packages | 90 days |
| Policy | Value |
|---|---|
| Minimum Scorecard | 3.0 |
| Review Scorecard | 6.0 |
| Max Known Vulnerabilities | 10 |
| Review New Packages | 7 days |
Ecosystem-Specific Policies
You can set different thresholds per package ecosystem:- npm — Node.js packages
- pip — Python packages
- go — Go modules
- cargo — Rust crates
License Policies
Control which open-source licenses are acceptable:- Allowed licenses — Explicitly permit specific licenses (e.g., MIT, Apache-2.0, BSD)
- Blocked licenses — Block packages with specific licenses (e.g., AGPL, SSPL)
How Evaluation Works
When a package install is requested:Vulnerability scan
Known CVEs are checked against your maximum vulnerability count and critical vulnerability policy.