rorix
Sign In

Policy Reference

Policies let you define security and compliance baselines for your .NET projects. Create a .rorix.yml file in your repository root to configure rules that are enforced during scans.

Example Configuration

# .rorix.yml
policy:
  maxSeverity: high
  maxVulnerabilities: 0
  blockedLicenses:
    - GPL-2.0
    - GPL-3.0
    - AGPL-3.0
  failOnTyposquat: true
  failOnOutdatedMajor: true
  minSecurityScore: 70

Rules

| Rule | Type | Default | Description | | --- | --- | --- | --- | | maxSeverity | string | — | Maximum allowed vulnerability severity. Options: low, medium, high, critical. Any vulnerability at or above this level causes a failure. | | maxVulnerabilities | number | — | Maximum number of vulnerabilities allowed before failing. Set to 0 for zero-tolerance. | | blockedLicenses | string[] | — | List of SPDX license identifiers that are not permitted. Packages with these licenses cause a failure. | | failOnTyposquat | boolean | false | Fail if any dependency is flagged as a potential typosquat — a package with a name suspiciously similar to a popular package. | | failOnOutdatedMajor | boolean | false | Fail if any dependency is more than one major version behind the latest release. | | minSecurityScore | number | — | Minimum security score (0-100) required for the project to pass. |

Using Policies in CI

With the CLI

rorix scan --policy .rorix.yml --exit-code

In GitHub Actions

- name: Rorix Policy Check
  uses: rorix-security/rorix-action@v1
  with:
    api-key: ${{ secrets.RORIX_API_KEY }}
    command: scan
    policy-file: .rorix.yml

In Azure DevOps

- script: |
    dotnet tool install -g Rorix.Cli
    rorix login $(RORIX_API_KEY)
    rorix scan --policy .rorix.yml --exit-code
  displayName: 'Rorix Policy Check'

Severity Levels

Severity levels are ordered from lowest to highest:

  1. low — informational findings with minimal risk
  2. medium — moderate risk, should be addressed in a reasonable timeframe
  3. high — significant risk, should be prioritized for remediation
  4. critical — severe risk, requires immediate attention

When maxSeverity is set to high, any critical vulnerability will fail the policy check. Vulnerabilities at high or below are allowed.

ProjectsSBOM Formats