> ## Documentation Index
> Fetch the complete documentation index at: https://docs.safedep.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Policy

> A SafeDep policy is a set of CEL rules that decide which dependencies pass or fail, enforced during scans and in CI/CD.

A policy turns your supply-chain rules into configuration that Vet evaluates automatically. Instead of reviewing dependencies by hand, you write the rules once and Vet applies them to every package, including transitive ones.

## Why it matters

Manual vetting does not scale and misses transitive dependencies. A policy makes a rule like "block known malware", "no GPL licenses", or "no unmaintained packages" an automated, repeatable check that runs the same way locally and in CI/CD.

## How it works

A policy is a set of [CEL](/concepts/cel) rules, written as a filter suite in a YAML file. Vet evaluates each package against the rules, and you decide what a match does:

* During a local scan, Vet can exit non-zero when a package matches a blocking rule.
* In CI/CD with [vet-action](https://github.com/safedep/vet-action), the policy file is passed via the `policy` input (conventionally `.github/vet/policy.yml`), and `paranoid: true` fails the build on a violation.

See [Policy as Code](/reference/policy-as-code) for the full syntax and examples.

## Related

<CardGroup cols={2}>
  <Card title="Policy as Code" icon="file-code" href="/reference/policy-as-code">
    Write and structure policy files.
  </Card>

  <Card title="CEL" icon="code" href="/concepts/cel">
    The expression syntax policies are built from.
  </Card>

  <Card title="Malicious Package" icon="shield-virus" href="/concepts/malicious-package">
    The intelligence policies act on.
  </Card>

  <Card title="JFrog Xray Blocking" icon="shield-halved" href="/package-security/jfrog-xray">
    Enforce package blocking in JFrog Xray.
  </Card>
</CardGroup>