Security

Policy enforcement, capability audit, and security events

Security Posture
Strong
6 layers enforced
Active Policies
7
All enforced via Cedar
Sandbox Mode
Enforced
Deny-by-default
Signature Verification
Enabled
Required before loading

Cedar Policies

PolicyScopeStatusLast EvaluatedDecisionsDenials
branch-protection
Pipeline gates
active
2 min ago
342
12
require-scan
Deployment gates
active
5 min ago
189
3
restrict-network
Extension sandbox
active
12 min ago
1,847
28
enforce-signatures
Extension loading
active
1 hour ago
56
0
memory-limits
Resource control
active
3 hours ago
4,210
7
no-root-exec
Container sandbox
active
5 hours ago
890
2
audit-logging
Compliance
active
12 hours ago
12,400
0

Extension Capability Audit

ExtensionFilesystemNetwork AllowlistEnv VarsMemoryCPU Fuel
source/git
/workspace (R)
github.com, gitlab.com
None
256 MiB
1B
build/container
/workspace (RW)
docker.io, ghcr.io
None
512 MiB
2B
scan/trivy
/workspace (R)
trivy-db.github.io
None
256 MiB
1B
deploy/kubernetes
/workspace (R)
k8s-api.internal
KUBECONFIG
256 MiB
1B
notify/slack
None
hooks.slack.com
SLACK_WEBHOOK_URL
128 MiB
500M

Recent Security Events

Extension source/git capabilities verifiedsandbox2 min ago
Policy branch-protection evaluated: ALLOWcedar2 min ago
Sandbox limit enforced: build/container memory at 87% (445/512 MiB)sandbox15 min ago
Extension scan/trivy signature verified (cosign)sigstore22 min ago
Policy require-scan evaluated: ALLOWcedar45 min ago
Network request blocked: build/container → unknown-host.comsandbox1 hour ago
Path traversal attempt blocked: /../../../etc/passwdsandbox3 hours ago
Extension deploy/kubernetes capabilities verifiedsandbox5 hours ago